Advertisement

Algebraic Cryptanalysis of Variants of Frit

  • Christoph Dobraunig
  • Maria EichlsederEmail author
  • Florian Mendel
  • Markus Schofnegger
Conference paper
  • 134 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11959)

Abstract

Frit is a cryptographic 384-bit permutation recently proposed by Simon et al. and follows a novel design approach for built-in countermeasures against fault attacks. We analyze the cryptanalytic security of Frit in different use cases and propose attacks on the full-round primitive. We show that the inverse \(\textsc {Frit}^{-1}\) of Frit is significantly weaker than Frit from an algebraic perspective, despite the better diffusion of the inverse of the mixing functions \(\sigma \): Its round function has an effective algebraic degree of only about 1.325. We show how to craft structured input spaces to linearize up to 4 (or, conditionally, 5) rounds and thus further reduce the degree. As a result, we propose very low-dimensional start-in-the-middle zero-sum partitioning distinguishers for unkeyed Frit, as well as integral distinguishers for reduced-round Frit and full-round \(\textsc {Frit}^{-1}\). We also consider keyed Frit variants using Even-Mansour or arbitrary round keys. By using optimized interpolation attacks and symbolically evaluating up to 5 rounds of \(\textsc {Frit}^{-1}\), we obtain key-recovery attacks with a complexity of either \(2^{59}\) chosen plaintexts and \(2^{67}\) time, or \(2^{18}\) chosen ciphertexts and time (about 5 seconds in practice).

Keywords

Cryptanalysis Frit Higher-order differentials Interpolation 

Notes

Acknowledgements

We thank the Frit team for their comments on preliminary versions of the attack.

Supplementary material

References

  1. 1.
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_17CrossRefGoogle Scholar
  2. 2.
    Ashur, T., et al.: Cryptanalysis of MORUS. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 35–64. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03329-3_2CrossRefGoogle Scholar
  3. 3.
    Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-\(f\) and for the core functions of luffa and hamsi. Presented at the rump session of Cryptographic Hardware and Embedded Systems – CHES 2009 (2009). https://131002.net/data/papers/AM09.pdf
  4. 4.
    Bar-On, A., Dinur, I., Dunkelman, O., Lallemand, V., Keller, N., Tsaban, B.: Cryptanalysis of SP networks with partial non-linear layers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 315–342. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_13CrossRefGoogle Scholar
  5. 5.
    Bard, G.V.: Algorithms for solving linear and polynomial systems of equations over finite fields with applications to cryptanalysis. Ph.D. thesis, University of Maryland, College Park, MD, USA (2007). https://hdl.handle.net/1903/7202
  6. 6.
    Bernstein, D.J., et al.: Gimli : a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4_15CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. Ecrypt Hash Workshop 2007, May 2007Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_11CrossRefGoogle Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 submission (Version 3.0) (2011). http://keccak.noekeon.org/Keccak-submission-3.pdf
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_19CrossRefGoogle Scholar
  11. 11.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052259CrossRefGoogle Scholar
  12. 12.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_4CrossRefGoogle Scholar
  13. 13.
    Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_16CrossRefGoogle Scholar
  14. 14.
    Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. J. Cryptol. 31(3), 885–916 (2018).  https://doi.org/10.1007/s00145-017-9273-9MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_26CrossRefGoogle Scholar
  16. 16.
    Daemen, J., Hoffert, S., Van Assche, G., Van Keer, R.: The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018).  https://doi.org/10.13154/tosc.v2018.i4.1-38CrossRefGoogle Scholar
  17. 17.
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie Proposal: NOEKEON. First Open NESSIE Workshop (2000). http://gro.noekeon.org/Noekeon-spec.pdf
  18. 18.
    Dinur, I., Liu, Y., Meier, W., Wang, Q.: Optimized interpolation attacks on LowMC. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 535–560. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_22CrossRefGoogle Scholar
  19. 19.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_28CrossRefGoogle Scholar
  20. 20.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_16CrossRefGoogle Scholar
  21. 21.
    Dobraunig, C., et al.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_22CrossRefGoogle Scholar
  22. 22.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Higher-order cryptanalysis of LowMC. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 87–101. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-30840-1_6CrossRefGoogle Scholar
  23. 23.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016). https://competitions.cr.yp.to/round3/asconv12.pdf
  24. 24.
    Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017).  https://doi.org/10.13154/tosc.v2017.i1.259-280CrossRefGoogle Scholar
  25. 25.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57332-1_17CrossRefGoogle Scholar
  26. 26.
    Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40349-1_22CrossRefGoogle Scholar
  27. 27.
    Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48059-5_15CrossRefzbMATHGoogle Scholar
  28. 28.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_9CrossRefGoogle Scholar
  29. 29.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_9CrossRefGoogle Scholar
  30. 30.
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052332CrossRefGoogle Scholar
  31. 31.
    Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45661-9_9CrossRefGoogle Scholar
  32. 32.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  33. 33.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  34. 34.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello Jr., D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry. International Series in Engineering and Computer Science, vol. 276, pp. 227–233. Kluwer Academic Publishers (1994).  https://doi.org/10.1007/978-1-4615-2694-0_23CrossRefGoogle Scholar
  35. 35.
    Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 254–283. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_11CrossRefGoogle Scholar
  36. 36.
    Li, Z., Bi, W., Dong, X., Wang, X.: Improved conditional cube attacks on keccak keyed modes with MILP method. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 99–127. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_4CrossRefGoogle Scholar
  37. 37.
    Li, Z., Dong, X., Wang, X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017).  https://doi.org/10.13154/tosc.v2017.i1.175-202CrossRefGoogle Scholar
  38. 38.
    Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_13CrossRefGoogle Scholar
  39. 39.
    Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006).  https://doi.org/10.1007/11935308_38CrossRefzbMATHGoogle Scholar
  40. 40.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of non-linear functions in the presence of glitches. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 218–234. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00730-9_14CrossRefGoogle Scholar
  41. 41.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011).  https://doi.org/10.1007/s00145-010-9085-7MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Qin, L., Dong, X., Jia, K., Zong, R.: Key-dependent cube attack on reduced Frit permutation in Duplex-AE modes. IACR Cryptology ePrint Archive, Report 2019/170 (2019). https://eprint.iacr.org/2019/170
  43. 43.
    Rasoolzadeh, S., Ahmadian, Z., Salmasizadeh, M., Aref, M.R.: Total break of Zorro using linear and differential attacks. IACR Cryptology ePrint Archive, Report 2014/220 (2014). https://eprint.iacr.org/2014/220
  44. 44.
    Schneider, T., Moradi, A., Güneysu, T.: ParTI – towards combined hardware countermeasures against side-channel and fault-injection attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 302–332. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_11CrossRefGoogle Scholar
  45. 45.
    Shi, D., Sun, S., Sasaki, Y., Li, C., Hu, L.: Correlation of quadratic Boolean functions: cryptanalysis of all versions of full MORUS. IACR Cryptology ePrint Archive, Report 2019/172 (2019). https://eprint.iacr.org/2019/172
  46. 46.
    Simon, T., et al.: Towards lightweight cryptographic primitives with built-in fault-detection. IACR Cryptology ePrint Archive, Report 2018/729 (2018). https://eprint.iacr.org/2018/729
  47. 47.
    Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_15CrossRefGoogle Scholar
  48. 48.
    Todo, Y.: Integral cryptanalysis on Full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_20CrossRefGoogle Scholar
  49. 49.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_12CrossRefGoogle Scholar
  50. 50.
    Wang, Y., Wu, W., Guo, Z., Yu, X.: Differential cryptanalysis and linear distinguisher of full-round zorro. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 308–323. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-07536-5_19CrossRefGoogle Scholar
  51. 51.
    Wu, H., Huang, T.: The authenticated cipher MORUS (v2). Submission to Round 3 of the CAESAR competition (2016). https://competitions.cr.yp.to/round3/morusv2.pdf

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Christoph Dobraunig
    • 1
  • Maria Eichlseder
    • 1
    Email author
  • Florian Mendel
    • 2
  • Markus Schofnegger
    • 1
  1. 1.Graz University of TechnologyGrazAustria
  2. 2.Infineon Technologies AGNeubibergGermany

Personalised recommendations