Zero-Sum Partitions of PHOTON Permutations

  • Qingju Wang
  • Lorenzo Grassi
  • Christian Rechberger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)

Abstract

We describe an approach to zero-sum partitions using Todo’s division property at EUROCRYPT 2015. It follows the inside-out methodology, and includes MILP-assisted search for the forward and backward trails, and subspace approach to connect those two trails that is less restrictive than commonly done.

As an application we choose PHOTON, a family of sponge-like hash function proposals that was recently standardized by ISO. With respect to the security claims made by the designers, we for the first time show zero-sum partitions for almost all of those full 12-round permutation variants that use a 4-bit S-Box. As with essentially any other zero-sum property in the literature, also here the gap between a generic attack and the shortcut is small.

Keywords

PHOTON Integral Division property Zero-sum MILP Subspace 

Notes

Acknowledgements

The authors would like to thank Meicheng Liu and Jian Guo for their fruitful discussions, and the anonymous reviewers for their comments. This work was supported partially by National Natural Science Foundation of China (No. 61472250, No. 61672347), Major State Basic Research Development Program (973 Plan, No. 2013CB338004), and Program of Shanghai Academic/Technology Research Leader (No. 16XD1401300).

References

  1. 1.
  2. 2.
  3. 3.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. In: Presented at the Rump Session of Cryptographic Hardware and Embedded Systems - CHES 2009 (2009). https://131002.net/data/papers/AM09.pdf
  4. 4.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_13 Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Note on zero-sum distinguishers of Keccak-f. http://keccak.noekeon.org/NoteZeroSum.pdf
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop (2007)Google Scholar
  7. 7.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_24 CrossRefGoogle Scholar
  8. 8.
    Boura, C., Canteaut, A.: A zero-sum property for the Keccak-\(f\) permutation with 18 rounds. In: Proceedings of the IEEE International Symposium on Information Theory, ISIT 2010, Austin, Texas, USA, 13–18 June 2010, pp. 2488–2492. IEEE (2010).  https://doi.org/10.1109/ISIT.2010.5513442
  9. 9.
    Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 654–682. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_24 CrossRefGoogle Scholar
  10. 10.
    Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052343 CrossRefGoogle Scholar
  11. 11.
    Dobbertin, H.: Cryptanalysis of MD5 compress. In: Presented at the Rump Session of Eurocrypt 1996 (1996)Google Scholar
  12. 12.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996). ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf
  13. 13.
    Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-\(f\) permutation. Chin. Sci. Bull. 57(6), 694–697 (2012)CrossRefGoogle Scholar
  14. 14.
    Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_11 Google Scholar
  15. 15.
    Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: AES Candidate Conference, pp. 230–241 (2000)Google Scholar
  16. 16.
    Grassi, L., Rechberger, C.: New and old limits for AES known-key distinguishers. Cryptology ePrint Archive, Report 2017/255 (2017). http://eprint.iacr.org/2017/255
  17. 17.
    Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/571 Google Scholar
  18. 18.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_13 CrossRefGoogle Scholar
  19. 19.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist Grøstl. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 110–126. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_7 CrossRefGoogle Scholar
  20. 20.
    Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_19 CrossRefGoogle Scholar
  21. 21.
    Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45661-9_9 CrossRefGoogle Scholar
  22. 22.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60590-8_16 CrossRefGoogle Scholar
  23. 23.
    Lucks, S.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: AES Candidate Conference, pp. 215–229 (2000)Google Scholar
  24. 24.
    Sun, L., Wang, W., Wang, M.: MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. Cryptology ePrint Archive, Report 2016/811 (2016). http://eprint.iacr.org/2016/811
  25. 25.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_9 Google Scholar
  26. 26.
    Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_20 CrossRefGoogle Scholar
  27. 27.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_12 Google Scholar
  28. 28.
    Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_18 CrossRefGoogle Scholar
  29. 29.
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48519-8_12 CrossRefGoogle Scholar
  30. 30.
    Wang, Q., Grassi, L., Rechberger, C.: Zero-sum partitions of PHOTON permutations. Cryptology ePrint Archive, Report 2017/1211 (2017). http://eprint.iacr.org/2017/1211
  31. 31.
    Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13039-2_9 Google Scholar
  32. 32.
    Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_24 CrossRefGoogle Scholar
  33. 33.
    Zhang, W., Rijmen, V.: Division cryptanalysis of block ciphers with a binary diffusion layer. Cryptology ePrint Archive, Report 2017/188 (2017). http://eprint.iacr.org/2017/188

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Qingju Wang
    • 1
    • 2
  • Lorenzo Grassi
    • 3
  • Christian Rechberger
    • 2
    • 3
  1. 1.Shanghai Jiao Tong UniversityShanghaiChina
  2. 2.Technical University of DenmarkKongens LyngbyDenmark
  3. 3.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations