Cryptanalysis of ForkAES

  • Subhadeep Banik
  • Jannis Bossert
  • Amit Jana
  • Eik List
  • Stefan Lucks
  • Willi Meier
  • Mostafizar Rahman
  • Dhiman Saha
  • Yu SasakiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11464)


Forkciphers are a new kind of primitive proposed recently by Andreeva et al. for efficient encryption and authentication of small messages. They fork the middle state of a cipher and encrypt it twice under two smaller independent permutations. Thus, forkciphers produce two output blocks in one primitive call.

Andreeva et al. proposed ForkAES, a tweakable AES-based forkcipher that splits the state after five out of ten rounds. While their authenticated encrypted schemes were accompanied by proofs, the security discussion for ForkAES was not provided, and founded on existing results on the AES and KIASU-BC. Forkciphers provide a unique interface called reconstruction queries that use one ciphertext block as input and compute the respective other ciphertext block. Thus, they deserve a careful security analysis.

This work fosters the understanding of the security of ForkAES with three contributions: (1) We observe that security in reconstruction queries differs strongly from the existing results on the AES. This allows to attack nine out of ten rounds with differential, impossible-differential and yoyo attacks. (2) We observe that some forkcipher modes may lack the interface of reconstruction queries, so that attackers must use encryption queries. We show that nine rounds can still be attacked with rectangle and impossible-differential attacks. (3) We present forgery attacks on the AE modes proposed by Andreeva et al. with nine-round ForkAES.


Symmetric-key cryptography Cryptanalysis Tweakable block cipher Impossible differential Boomerang Yoyo AE 



Parts of this work have been initiated during the group sessions of the 8th Asian Workshop on Symmetric Cryptography (ASK 2018) held at the Indian Statistical Institute in Kolkata. We would also like to thank the anonymous reviewers and the designers of ForkAES for their helpful comments. Subhadeep Banik is supported by the Ambizione Grant PZ00P2_179921, awarded by the Swiss National Science Foundation.


  1. 1.
    Andreeva, E., Reyhanitabar, R., Varici, K., Vizár, D.: Forking a blockcipher for authenticated encryption of very short messages. IACR Archive (2018)., Version: 20180926:123554
  2. 2.
    Banik, S., et al.: Cryptanalysis of ForkAES. Cryptology ePrint Archive, Report 2019/289 (2019).
  3. 3.
    Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial observations on skipjack: cryptanalysis of skipjack-3XOR. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–375. Springer, Heidelberg (1999). Scholar
  4. 4.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). Scholar
  5. 5.
    Biham, E., Dunkelman, O., Keller, N.: The rectangle attack - rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). Scholar
  6. 6.
    Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002). Scholar
  7. 7.
    Blondeau, C.: Accurate Estimate of the Advantage of Impossible Differential Attacks. IACR Trans. Symmetric Cryptol. 2017(3), 169–191 (2017)MathSciNetGoogle Scholar
  8. 8.
    Boura, C., Lallemand, V., Naya-Plasencia, M., Suder, V.: Making the impossible possible. J. Cryptol. 31(1), 101–133 (2018)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014). Scholar
  10. 10.
    Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L.: Boomerang connectivity table: a new cryptanalysis tool. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 683–714. Springer, Cham (2018). Scholar
  11. 11.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002). Scholar
  12. 12.
    Derbez, P.: Note on impossible differential attacks. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 416–427. Springer, Heidelberg (2016). Scholar
  13. 13.
    Dobraunig, C., List, E.: Impossible-differential and boomerang cryptanalysis of round-reduced Kiasu-BC. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 207–222. Springer, Cham (2017). Scholar
  14. 14.
    Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016)Google Scholar
  15. 15.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). Scholar
  16. 16.
    Kara, O.: Reflection cryptanalysis of some ciphers. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 294–307. Springer, Heidelberg (2008). Scholar
  17. 17.
    Knudsen, L.: DEAL - a 128-bit block cipher. Complexity 258(2), 216 (1998)Google Scholar
  18. 18.
    Murphy, S.: The return of the cryptographic boomerang. IEEE Trans. Inf. Theory 57(4), 2517–2521 (2011)MathSciNetCrossRefGoogle Scholar
  19. 19.
    National Institute of Standards and Technology. FIPS 197. National Institute of Standards and Technology, November, pp. 1–51 (2001)Google Scholar
  20. 20.
    Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). Scholar
  21. 21.
    Tolba, M., Abdelkhalek, A., Youssef, A.M.: A meet in the middle attack on reduced round Kiasu-BC. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E99-A(10), 21–34 (2016)Google Scholar
  22. 22.
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Subhadeep Banik
    • 1
  • Jannis Bossert
    • 2
  • Amit Jana
    • 3
  • Eik List
    • 2
  • Stefan Lucks
    • 2
  • Willi Meier
    • 4
  • Mostafizar Rahman
    • 3
  • Dhiman Saha
    • 5
  • Yu Sasaki
    • 6
    Email author
  1. 1.EPFLLausanneSwitzerland
  2. 2.Bauhaus-Universität WeimarWeimarGermany
  3. 3.CSRU, Indian Statistical InstituteKolkataIndia
  4. 4.FHNWWindischSwitzerland
  5. 5.IIT BhilaiRaipurIndia
  6. 6.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations