State-Recovery Attacks on Modified Ketje Jr

Fuhr, Thomas; Naya-Plasencia, Maŕıa; Rotella, Yann

doi:10.46586/tosc.v2018.i1.29-56

Cited by 4 publications

(12 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the squeezing phase, Subterranean 2.0 outputs a block of 32 bits, each of which is the sum of two state bits: Z i = s 12 4i + s −12 4i , for 0 ≤ i < 32. Instead of outputting state bits directly, this extraction function is meant to frustrate state recovery attacks [10] in the nonce respected setting. In our one-round differential analysis, this extraction function allows more state bits…”

Section: Relation To the Extraction Functionmentioning

confidence: 99%

Security analysis of Subterranean 2.0

Song

Shi

et al. 2021

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most $$2^{96}$$ 2 96 data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

show abstract

Section: Relation To the Extraction Functionmentioning

confidence: 99%

Security analysis of Subterranean 2.0

Song

Shi

et al. 2021

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…The security claimed by the authors for KETJE JR is determined by (96 ) for a key of size k. Based on the idea of meet-in-the-middle and the divide-and-conquer strategy, Ref. [12] gives state-recovery attacks on modified KETJE JR whose computation complexities are lower than exhaustive attack by using several consecutive blocks of keystream. The following is a brief introduction to the basic idea of this attack.…”

Section: State-recovery Attacks On Ketje Jr Based On Divide-and-conquer Strategymentioning

confidence: 99%

“…For details, please refer to Ref. [12]. Assume that the size of each keystream block is 40 bits, i.e.…”

Section: State-recovery Attacks On Ketje Jr Based On Divide-and-conquer Strategymentioning

confidence: 99%

“…Since each bit of [ ] is a nonlinear function of , in order to meet the conditions of divide-and-conquer, Ref. [12] gives a method called preliminary guessing. By guessing partial values of , the representations of some bits in [ ] can be derived from the function of front half and the function of back half of , and then we can combine 0 [ ] to sieve the guessed internal state values.…”

Section: Improved State-recovery Attack On Ketje Jr When R=40mentioning

confidence: 99%

“…In addition, by introducing the kernel quadratic term to overcome the problem of few degrees of freedom, Li et al [10] further improved the results of conditional cube attacks on KETJE SR. Based on the same idea, Zhou et al [11] gave a practical key recovery attack on 5-round KETJE JR. In addition, in 2018, Fuhr et al [12] proposed a state-recovery attack on the modified KETJE JR with the usage of the divide-and-conquer method.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improved State-Recovery Attacks on Modified KETJE JR

2021

Proceedings of 2021 the 11th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

KETJE, a lightweight authenticated encryption cipher is a third-round candidate of CAESAR competition whose design principles are similar to SHA-3 hash function. Fuhr et al. studied the security of KETJE JR against divide-and-conquer attacks and proposed state-recovery attacks on modified KETJE JR. In this paper, we study the relations among the algebraic representations of internal state bits, and find new guessing strategies based on Fuhr et al.'s method. With the usage of new guessing strategies, we improve the state-recovery attacks on KETJE JR v1 when r=40 and r=32. Compared with Fuhr et al.'s work, our results are more efficient. The relults do not threaten the security of KETJE in practice, but provide evidence for improving the efficiency of KETJE by increasing the rate.

show abstract