Filters








14 Hits in 1.1 sec

Simpira v2: A Family of Efficient Permutations Using the AES Round Function [chapter]

Shay Gueron, Nicky Mouha
2016 Lecture Notes in Computer Science  
In the next section, we show how the unkeyed setting leads to invariant subspace attacks on Simpira v1 for b = 4. 9 Invariant Subspace Attacks Leander et al. [58] introduced the term invariant subspace  ...  We searched for invariant subspaces in all Simpira v2 variants, but were un- able to find any.  ... 
doi:10.1007/978-3-662-53887-6_4 fatcat:3wjksrkgqzgo3pg57fpdq6cffu

Impossible differential attack on Simpira v2

Rui Zong, Xiaoyang Dong, Xiaoyun Wang
2017 Science China Information Sciences  
Those are the first attacks on the round-reduced Simpira v2 and do not threaten the Even-Mansour mode with the full 15-round Simpira-4.  ...  round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode; each 6-round impossible differential helps recover 32 bits of the master key (512 bits), and in  ...  In addition, Rønjom reported on the invariant subspaces in Simpira v1 with x = 4 [18] .  ... 
doi:10.1007/s11432-016-9075-6 fatcat:6365375suffqbevgkbodbaa6g4

Cryptanalysis of Simpira v1 [chapter]

Christoph Dobraunig, Maria Eichlseder, Florian Mendel
2017 Lecture Notes in Computer Science  
The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers.  ...  Simpira v1 is a recently proposed family of permutations, based on the AES round function.  ...  We thank the Simpira designers Shay Gueron and Nicky Mouha for verifying our results and providing useful suggestions.  ... 
doi:10.1007/978-3-319-69453-5_16 fatcat:dxhmopucrbe77oypcn2uauyx2i

(Quantum) Collision Attacks on Reduced Simpira v2

Boyu Ni, Xiaoyang Dong, Keting Jia, Qidi You
2021 IACR Transactions on Symmetric Cryptology  
In this paper, we build an improved MILP model to count the differential and linear active Sboxes for Simpira v2, which achieves tighter bounds of the minimum number of active Sboxes for a few versions  ...  of Simpira v2.  ...  There have been several cryptanalysis papers on Simpira. Rønjom [Røn16] proposed an invariant subspace attack on Simpira v1, an informal version of Simpira. At SAC 2016, Dobraunig et al.  ... 
doi:10.46586/tosc.v2021.i2.222-248 fatcat:e5wztfjpufg4fm6m4nahxkrhgu

Symmetric Cryptography (Dagstuhl Seminar 16021)

Frederik Armknecht, Tetsu Iwata, Kaisa Nyberg, Bart Preneel, Marc Herbstritt
2016 Dagstuhl Reports  
It was the fifth in the series of the Dagstuhl seminars "Symmetric Cryptography" held in 2007, 2009, 2012, and 2014.  ...  From January 10-15, 2016, the seminar 16021 in Symmetric Cryptography was held in Schloss Dagstuhl -Leibniz Center for Informatics.  ...  Invariant Subspace Attack Against Full Midori64 Yu Sasaki . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  ... 
doi:10.4230/dagrep.6.1.34 dblp:journals/dagstuhl-reports/ArmknechtINP16 fatcat:3p4woms76ncrdm5hkd2iempk74

Nonlinear Approximations in Cryptanalysis Revisited

Christof Beierle, Anne Canteaut, Gregor Leander
2018 IACR Transactions on Symmetric Cryptology  
., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation.  ...  Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts.  ...  The nonlinear invariant attack could be viewed in terms of an invariant subspace of dimension (n − 1) over the transformed cipher.  ... 
doi:10.13154/tosc.v2018.i4.80-101 dblp:journals/tosc/BeierleCL18 fatcat:33n6ibzsazcszf6ij4a56snqwm

Proving Resistance Against Invariant Attacks: How to Choose the Round Constants [chapter]

Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella
2017 Lecture Notes in Computer Science  
In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks.  ...  Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a roundspecific constant.  ...  Then, this subspace is the smallest linear subspace of F n 2 invariant under L which contains c.  ... 
doi:10.1007/978-3-319-63715-0_22 fatcat:c4m4ghlajzamfkd276tu7lkimi

Nonlinear Approximations in Cryptanalysis Revisited

Christof Beierle, Anne Canteaut, Gregor Leander
2018 IACR Transactions on Symmetric Cryptology  
., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation.  ...  Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts.  ...  The nonlinear invariant attack could be viewed in terms of an invariant subspace of dimension (n − 1) over the transformed cipher.  ... 
doi:10.46586/tosc.v2018.i4.80-101 fatcat:2h6u7f2do5bs5b5hbckokweudi

On the Resilience of Even-Mansour to Invariant Permutations

Bart Mennink, Samuel Neves
2021 Designs, Codes and Cryptography  
Recent invariant subspace attacks have shown that these can be a serious issue.  ...  One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017).  ...  It can furthermore readily be extended to match the invariant subspaces found on Simpira v1 [97] , or the attacks that rely on a block cipher hitting a particular set of bad keys.  ... 
doi:10.1007/s10623-021-00850-2 fatcat:g7gxepprufbkdgxlhsruvia45y

Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE [chapter]

Lorenzo Grassi, Christian Rechberger
2016 Lecture Notes in Computer Science  
In this paper, we consider PRINCE, a widely analyzed block cipher proposed in 2012.  ...  After the identification of a 2.5 rounds subspace trail of PRINCE, we present several (truncated differential) attacks up to 6 rounds of PRINCE.  ...  Bardeh for pointing out an error in the C/C++ implementation of PRINCE block cipher. The work in this paper has been partially supported by the Austrian Science Fund (project P26494-N15).  ... 
doi:10.1007/978-3-319-49890-4_18 fatcat:6cqqmlfvmjdxfkhnowmdkd6egm

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES

Lorenzo Grassi
2018 IACR Transactions on Symmetric Cryptology  
Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the  ...  In this paper we introduce "Mixture Differential Cryptanalysis" on round-reduced AESlike ciphers, a way to translate the (complex) "multiple-of-8" 5-round distinguisher into a simpler and more convenient  ...  Then if F (V ⊕ a) = V ⊕ a we say that V ⊕ a is an invariant coset of the subspace V for the function F .  ... 
doi:10.13154/tosc.v2018.i2.133-160 dblp:journals/tosc/Grassi18 fatcat:7hql4rlszfcknhxxg4m3mh3ty4

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES

Lorenzo Grassi
2018 IACR Transactions on Symmetric Cryptology  
Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the  ...  In this paper we introduce "Mixture Differential Cryptanalysis" on round-reduced AESlike ciphers, a way to translate the (complex) "multiple-of-8" 5-round distinguisher into a simpler and more convenient  ...  Then if F (V ⊕ a) = V ⊕ a we say that V ⊕ a is an invariant coset of the subspace V for the function F .  ... 
doi:10.46586/tosc.v2018.i2.133-160 fatcat:qo6nav6febc7hcfpq4pyvdc25e

Yoyo Tricks with AES [chapter]

Sondre Rønjom, Navid Ghaedi Bardeh, Tor Helleseth
2017 Lecture Notes in Computer Science  
In this paper we present new fundamental properties of SPNs.  ...  In addition, we present the first key-independent distinguisher for 6-rounds AES based on yoyos that preserve impossible zero di↵erences in plaintexts and ciphertexts.  ...  Other types of structural attacks relevant in our setting include invariant subspace attacks [5, 6] and subspace trail cryptanalysis [7, 8] . Moreover, one may also note the paper by Ferguson et al  ... 
doi:10.1007/978-3-319-70694-8_8 fatcat:xewqdjpiwngwrl3pno4bieneym

Dagstuhl Reports, Volume 6, Issue 1, January 2016, Complete Issue [article]

2016
Preliminary results have been published in [2].  ...  For example, the NSF in the US explicitly requests "broader impact" statements, DARPA in the US often runs programs with the goal of transitioning technology to industry or government, and REF in the UK  ...  The first approach is extending the class of invariant subspaces, which reveals weaker keys.  ... 
doi:10.4230/dagrep.6.1 fatcat:vq74ezrwifbkhex6twvtdzbpaa