Similar Journals
IACR Transactions on Symmetric Cryptology
Number of Followers: 0 Open Access journal ISSN (Online) 2519-173X Published by Ruhr-Universität Bochum [4 journals] |
- Preface to Volume 2023, Issue 1
Authors: Christina Boura, Bart Mennink
Pages: 1 - 4
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.1-4
- Subverting Telegram’s End-to-End Encryption
Authors: Benoît Cogliati, Jordan Ethan, Ashwin Jha
Pages: 5 - 40
Abstract: Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.5-40
- Attacking the IETF/ISO Standard for Internal Re-keying CTR-ACPKM
Authors: Orr Dunkelman, Shibam Ghosh, Eran Lambooij
Pages: 41 - 66
Abstract: Encrypting too much data using the same key is a bad practice from a security perspective. Hence, it is customary to perform re-keying after a given amount of data is transmitted. While in many cases, the re-keying is done using a fresh execution of some key exchange protocol (e.g., in IKE or TLS), there are scenarios where internal re-keying, i.e., without exchange of information, is performed, mostly due to performance reasons.
Originally suggested by Abdalla and Bellare, there are several proposals on how to perform this internal re-keying mechanism. For example, Liliya et al. offered the CryptoPro Key Meshing (CPKM) to be used together with GOST 28147-89 (known as the GOST block cipher). Later, ISO and the IETF adopted the Advanced CryptoPro Key Meshing (ACKPM) in ISO 10116 and RFC 8645, respectively.
In this paper, we study the security of ACPKM and CPKM. We show that the internal re-keying suffers from an entropy loss in successive repetitions of the rekeying mechanism. We show some attacks based on this issue. The most prominent one has time and data complexities of O(2κ/2) and success rate of O(2−κ/4) for a κ-bit key.
Furthermore, we show that a malicious block cipher designer or a faulty implementation can exploit the ACPKM (or the original CPKM) mechanism to significantly hinder the security of a protocol employing ACPKM (or CPKM). Namely, we show that in such cases, the entropy of the re-keyed key can be greatly reduced.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.41-66
- Finding Collisions for Round-Reduced Romulus-H
Authors: Marcel Nageler, Felix Pallua, Maria Eichlseder
Pages: 67 - 88
Abstract: The hash function Romulus-H is a finalist in the NIST Lightweight Cryptography competition. It is based on the Hirose double block-length (DBL) construction which is provably secure when used with an ideal block cipher. However, in practice, ideal block ciphers can only be approximated. Therefore, the security of concrete instantiations must be cryptanalyzed carefully; the security margin may be higher or lower than in the secret-key setting. So far, the Hirose DBL construction has been studied with only a few other block ciphers, like IDEA and AES. However, Romulus-H uses Hirose DBL with the SKINNY block cipher where only very little analysis has been published so far. In this work, we present the first practical analysis of Romulus-H. We propose a new framework for finding collisions in hash functions based on the Hirose DBL construction. This is in contrast to previous work that only focused on free-start collisions. Our framework is based on the idea of joint differential characteristics which capture the relationship between the two block cipher calls in the Hirose DBL construction. To identify good joint differential characteristics, we propose a combination of MILP and CP models. Then, we use these characteristics in another CP model to find collisions. Finally, we apply this framework to Romulus-H and find practical collisions of the hash function for 10 out of 40 rounds and practical semi-free-start collisions for up to 14 rounds.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.67-88
- Cryptanalysis of Reduced Round ChaCha – New Attack & Deeper
Analysis
Authors: Sabyasachi Dey, Hirendra Kumar Garai, Subhamoy Maitra
Pages: 89 - 110
Abstract: In this paper we present several analyses on ChaCha, a software stream cipher. First, we consider a divide-and-conquer approach on the secret key bits by partitioning them. The partitions are based on multiple input-output differentials to obtain a significantly improved attack on 6-round ChaCha256 with a complexity of 299.48. It is 240 times faster than the currently best known attack. This is the first time an attack on a round reduced ChaCha with a complexity smaller than 2k/2, where the secret key is of k bits, has been successful.
Further, all the attack complexities related to ChaCha are theoretically estimated in general and there are several questions in this regard as pointed out by Dey, Garai, Sarkar and Sharma in Eurocrypt 2022. In this regard, we propose a toy version of ChaCha, with a 32-bit secret key, on which the attacks can be implemented completely to verify whether the theoretical estimates are justified. This idea is implemented for our proposed attack on 6 rounds. Finally, we show that it is possible to estimate the success probabilities of these kinds of PNB-based differential attacks more accurately. Our methodology explains how different cryptanalytic results can be evaluated with better accuracy rather than claiming that the success probability is significantly better than 50%.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.89-110
- SoK: Modeling for Large S-boxes Oriented to Differential Probabilities and
Linear Correlations
Authors: Ling Sun, Meiqin Wang
Pages: 111 - 151
Abstract: Automatic methods for differential and linear characteristic search are well-established at the moment. Typically, the designers of novel ciphers also give preliminary analytical findings for analysing the differential and linear properties using automatic techniques. However, neither MILP-based nor SAT/SMT-based approaches have fully resolved the problem of searching for actual differential and linear characteristics of ciphers with large S-boxes. To tackle the issue, we present three strategies for developing SAT models for 8-bit S-boxes that are geared toward differential probabilities and linear correlations. While these approaches cannot guarantee a minimum model size, the time needed to obtain models is drastically reduced. The newly proposed SAT model for large S-boxes enables us to establish that the upper bound on the differential probability for 14 rounds of SKINNY-128 is 2−131, thereby completing the unsuccessful work of Abdelkhalek et al. We also analyse the seven AES-based constructions C1 - C7 designed by Jean and Nikolić and compute the minimum number of active S-boxes necessary to cause an internal collision using the SAT method. For two constructions C3 and C5, the current lower bound on the number of active S-boxes is increased, resulting in a more precise security analysis for these two structures.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.111-151
- SAT-aided Automatic Search of Boomerang Distinguishers for ARX Ciphers
Authors: Dachao Wang, Baocang Wang, Siwei Sun
Pages: 152 - 191
Abstract: In Addition-Rotation-Xor (ARX) ciphers, the large domain size obstructs the application of the boomerang connectivity table. In this paper, we explore the problem of computing this table for a modular addition and the automatic search of boomerang characteristics for ARX ciphers. We provide dynamic programming algorithms to efficiently compute this table and its variants. These algorithms are the most efficient up to now. For the boomerang connectivity table, the execution time is 42(n − 1) simple operations while the previous algorithm costs 82(n − 1) simple operations, which generates a smaller model in the searching phase. After rewriting these algorithms with boolean expressions, we construct the corresponding Boolean Satisfiability Problem models. Two automatic search frameworks are also proposed based on these models. This is the first time bringing the SAT-aided automatic search techniques into finding boomerang attacks on ARX ciphers. Finally, under these frameworks, we find out the first verifiable 10-round boomerang trail for SPECK32/64 with probability 2−29.15 and a 12-round trail for SPECK48/72 with probability 2−44.15. These are the best distinguishers for them so far. We also perceive that the previous boomerang attacks on LEA are constructed with an incorrect computation of the boomerang connection probability. The result is then fixed by our frameworks.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.152-191
- Tight Multi-User Security Bound of DbHtS
Authors: Nilanjan Datta, Avijit Dutta, Mridul Nandi, Suprita Talnikar
Pages: 192 - 223
Abstract: In CRYPTO’21, Shen et al. proved that Two-Keyed-DbHtS construction is secure up to 22n/3 queries in the multi-user setting independent of the number of users. Here the underlying double-block hash function H of the construction realized as the concatenation of two independent n-bit keyed hash functions (HKh,1,HKh,2), and the security holds under the assumption that each of the n-bit keyed hash function is universal and regular. The authors have also demonstrated the applicability of their result to the key-reduced variants of DbHtS MACs, including 2K-SUM-ECBC, 2K-PMAC_Plus and 2K-LightMAC_Plus without requiring domain separation technique and proved 2n/3-bit multi-user security of these constructions in the ideal cipher model. Recently, Guo and Wang have invalidated the security claim of Shen et al.’s result by exhibiting three constructions, which are instantiations of the Two-Keyed-DbHtS framework, such that each of their n-bit keyed hash functions are O(2−n) universal and regular, while the constructions themselves are secure only up to the birthday bound. In this work, we show a sufficient condition on the underlying Double-block Hash (DbH) function, under which we prove an improved 3n/4-bit multi-user security of the Two-Keyed-DbHtS construction in the ideal-cipher model. To be more precise, we show that if each of the n-bit keyed hash function is universal, regular, and cross-collision resistant then it achieves the desired security. As an instantiation, we show that two-keyed Polyhash-based DbHtS construction is multi-user secure up to 23n/4 queries in the ideal-cipher model. Furthermore, due to the generic attack on DbHtS constructions by Leurent et al. in CRYPTO’18, our derived bound for the construction is tight.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.192-223
- Indifferentiability of the Sponge Construction with a Restricted Number of
Message Blocks
Authors: Charlotte Lefevre
Pages: 224 - 243
Abstract: The sponge construction is a popular method for hashing. Quickly after its introduction, the sponge was proven to be tightly indifferentiable from a random oracle up to ≈ 2c/2 queries, where c is the capacity. However, this bound is not tight when the number of message blocks absorbed is restricted to ℓ < ⌈ c / 2(b−c) ⌉ + 1 (but still an arbitrary number of blocks can be squeezed). In this work, we show that this restriction leads to indifferentiability from a random oracle up to ≈ min { 2b/2, max { 2c/2, 2b−ℓ×(b−c) }} queries, where b > c is the permutation size. Depending on the parameters chosen, this result allows to have enhanced security or to absorb at a larger rate for applications that require a fixed-length input hash function.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.224-243
- Chosen-Key Secure Even-Mansour Cipher from a Single Permutation
Authors: Shanjie Xu, Qi Da, Chun Guo
Pages: 244 - 287
Abstract: At EUROCRYPT 2015, Cogliati and Seurin proved that the 4-round Iterated Even-Mansour (IEM) cipher with Independent random Permutations and no key schedule EMIP4(k, u) = k⊕p4 ( k⊕p3 ( k⊕p2 (k⊕p1 (k⊕u)))) is sequentially indifferentiable from an ideal cipher, which implies chosen-key security in the sense of correlation intractability. In practice, however, blockciphers such as the AES typically employ the same permutation at each round. To bridge the gap, we prove that the 4-round IEM cipher EMSP[φ]p4 (k, u) = k4⊕p (k3⊕p (k2⊕p(k1⊕p(k0⊕u)))) , whose round keys ki = φi(k) are derived using an affine permutation φ : {0, 1}n → {0, 1}n with certain properties, is sequentially indifferentiable from an ideal cipher. The function φ can be a linear orthomorphism, or φ(k) := k≫a for some fixed integer a using cyclic shift. To our knowledge, this is the first indifferentiability-type result for blockciphers using identical round functions.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.244-287
- Secure Message Authentication in the Presence of Leakage and Faults
Authors: Francesco Berti, Chun Guo, Thomas Peters, Yaobin Shen, François-Xavier Standaert
Pages: 288 - 315
Abstract: Security against side-channels and faults is a must for the deployment of embedded cryptography. A wide body of research has investigated solutions to secure implementations against these attacks at different abstraction levels. Yet, to a large extent, current solutions focus on one or the other threat. In this paper, we initiate a mode-level study of cryptographic primitives that can ensure security in a (new and practically-motivated) adversarial model combining leakage and faults. Our goal is to identify constructions that do not require a uniform protection of all their operations against both attack vectors. For this purpose, we first introduce a versatile and intuitive model to capture leakage and faults. We then show that a MAC from Asiacrypt 2021 natively enables a leveled implementation for fault resilience where only its underlying tweakable block cipher must be protected, if only the tag verification can be faulted. We finally describe two approaches to amplify security for fault resilience when also the tag generation can be faulted. One is based on iteration and requires the adversary to inject increasingly large faults to succeed. The other is based on randomness and allows provable security against differential faults.
PubDate: 2023-03-10
DOI: 10.46586/tosc.v2023.i1.288-315