Ferdinand Sibleyras scite author profile

Naya-Plasencia

et al. 2020

Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity 2 64 . We also provide a practical distinguisher on 23 out of the full 24 rounds of Gimli that has been implemented. Next, we give (full state) collision and semi-free-start collision attacks on Gimli-Hash, reaching respectively up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round Gimli-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in the permutation, and we propose differentiallinear cryptanalysis that reach up to 17 rounds of Gimli.

Generic Attacks Against Beyond-Birthday-Bound MACs

Nandi

Sibleyras

2018

In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We consider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 2 2n/3 queries, but there are no known attacks with less than 2 n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of messages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(2 3n/4) queries, and how to build a forgery attack with the same query complexity. The time complexity of these attacks is above 2 n , but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexityÕ(2 6n/7). As far as we know, this is the first attack with complexity below 2 n against a deterministic beyondbirthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof.

The Missing Difference Problem, and Its Applications to Counter Mode Encryption

Sibleyras

2018

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Mode of operation Describes how to use a block cipher along with a plaintext message of arbitrary length to achieve some concrete cryptographic goals. m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k (IV i) ⊕ m i 4 / 24 Security proof (σ the number of blocks) Adv IND CTR-E k (σ) ≤ Adv PRF E k (σ) ≤ Adv PRP E k (σ) + σ 2 /2 n+1 Distinguisher After σ 2 n/2 encrypted blocks we expect a collision on the K i with high probability in the case of a random ciphertext. That is the birthday bound coming from the birthday paradox. E k c 1 m 2 E k c 2 6 / 24 • The distinguisher uses K i ⊕ K j = 0 which implies K i ⊕ c j = S ∀i = j. Main Idea Collect many keystream blocks K i and encryptions of secret block c j = K j ⊕ S; then look for a value S such that K i ⊕ c j = S ∀i = j.

Low-Memory Attacks Against Two-Round Even-Mansour Using the 3-XOR Problem

Sibleyras

2019

The iterated Even-Mansour construction is an elegant construction that idealizes block cipher designs such as the AES. In this work we focus on the simplest variant, the 2-round Even-Mansour construction with a single key. This is the most minimal construction that offers security beyond the birthday bound: there is a security proof up to 2 2n/3 evaluations of the underlying permutations and encryption, and the best known attacks have a complexity of roughly 2 n /n operations. We show that attacking this scheme with block size n is related to the 3-XOR problem with element size = 2n, an important algorithmic problem that has been studied since the nineties. In particular the 3-XOR problem is known to require at least 2 /3 queries, and the best known algorithms require around 2 /2 / operations: this roughly matches the known bounds for the 2-round Even-Mansour scheme. Using this link we describe new attacks against the 2-round Even-Mansour scheme. In particular, we obtain the first algorithms where both the data and the memory complexity are significantly lower than 2 n. From a practical standpoint, previous works with a data and/or memory complexity close to 2 n are unlikely to be more efficient than a simple brute-force search over the key. Our best algorithm requires just λn known plaintext/ciphertext pairs, for some constant 0 < λ < 1, 2 n /λn time, and 2 λn memory. For instance, with n = 64 and λ = 1/2, the memory requirement is practical, and we gain a factor 32 over brute-force search. We also describe an algorithm with asymptotic complexity O(2 n ln 2 n/n 2), improving the previous asymptotic complexity of O(2 n /n), using a variant of the 3-SUM algorithm of Baran, Demaine, and Pǎtraşcu.

Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

et al. 2021

Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity 2 64 . We also provide a practical distinguisher on 23 out of the full 24 rounds of Gimli that has been implemented. Next, we give (full state) collision and semi-free start collision attacks on Gimli-Hash, reaching, respectively, up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round Gimli-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in Gimli, and we find a linear distinguisher on the full permutation.