Skip to main content
View expanded cover

Annual International Cryptology Conference

CRYPTO 2020: Advances in Cryptology – CRYPTO 2020 pp 219–248Cite as

Automatic Verification of Differential Characteristics: Application to Reduced Gimli

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12172)

Abstract

Since Keccak was selected as the SHA-3 standard, more and more permutation-based primitives have been proposed. Different from block ciphers, there is no round key in the underlying permutation for permutation-based primitives. Therefore, there is a higher risk for a differential characteristic of the underlying permutation to become incompatible when considering the dependency of difference transitions over different rounds. However, in most of the MILP or SAT based models to search for differential characteristics, only the difference transitions are involved and are treated as independent in different rounds, which may cause that an invalid one is found for the underlying permutation. To overcome this obstacle, we are motivated to design a model which automatically avoids the inconsistency in the search for differential characteristics. Our technique is to involve both the difference transitions and value transitions in the constructed model. Such an idea is inspired by the algorithm to find SHA-2 characteristics as proposed by Mendel et al. in ASIACRYPT 2011, where the differential characteristic and the conforming message pair are simultaneously searched. As a first attempt, our new technique will be applied to the Gimli permutation, which was proposed in CHES 2017. As a result, we reveal that some existing differential characteristics of reduced Gimli are indeed incompatible, one of which is found in the Gimli document. In addition, since only the permutation is analyzed in the Gimli document, we are lead to carry out a comprehensive study, covering the proposed hash scheme and the authenticated encryption (AE) scheme specified for Gimli, which has become a second round candidate of the NIST lightweight cryptography standardization process. For the hash scheme, a semi-free-start (SFS) collision attack can reach up to 8 rounds starting from an intermediate round. For the AE scheme, a state recovery attack is demonstrated to achieve up to 9 rounds. It should be emphasized that our analysis does not threaten the security of Gimli.

Keywords

  • Gimli
  • Hash function
  • AE
  • MILP
  • Collision
  • State-recovery

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-56877-1_8
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-56877-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   129.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.

Notes

  1. 1.

    The source code of our attacks can be referred to https://github.com/LFKOKAMI/GimliAnalysis.git.

References

  1. https://csrc.nist.gov/Projects/Lightweight-Cryptography/Round-2-Candidates

  2. https://www.gurobi.com

  3. Aumasson, J.-P., Çalık, Ç., Meier, W., Özen, O., Phan, R.C.-W., Varıcı, K.: Improved cryptanalysis of Skein. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 542–559. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_32

    CrossRef  Google Scholar 

  4. Bernstein, D.J., et al.: Gimli: a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_15

    CrossRef  Google Scholar 

  5. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19

    CrossRef  Google Scholar 

  6. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference (2011). http://keccak.noekeon.org

  7. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1

    CrossRef  Google Scholar 

  8. Biryukov, A., Nikolić, I., Roy, A.: Boomerang attacks on BLAKE-32. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 218–237. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_13

    CrossRef  Google Scholar 

  9. Blondeau, C., Bogdanov, A., Leander, G.: Bounds in shallows and in miseries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 204–221. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_12

    CrossRef  MATH  Google Scholar 

  10. De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_1

    CrossRef  Google Scholar 

  11. Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2018). https://ascon.iaik.tugraz.at/files/asconv12-nist.pdf

  12. Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Preliminary analysis of Ascon-Xof and Ascon-Hash (version 0.1) (2019). https://ascon.iaik.tugraz.at/files/Preliminary_Analysis_of_Ascon-Xof_and_Ascon-Hash_v01.pdf

  13. Hamburg, M.: Cryptanalysis of 22 1/2 rounds of Gimli. Cryptology ePrint Archive, Report 2017/743 (2017). https://eprint.iacr.org/2017/743

  14. Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, Part I, vol. 9215, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_8

    CrossRef  Google Scholar 

  15. Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_15

    CrossRef  MATH  Google Scholar 

  16. Leurent, G.: Construction of differential characteristics in ARX designs application to Skein. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, Part I, vol. 8042, pp. 241–258. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_14

    CrossRef  MATH  Google Scholar 

  17. Liu, F., Isobe, T., Meier, W.: Automatic verification of differential characteristics: application to reduced Gimli (full version). Cryptology ePrint Archive, Report 2020/591 (2020). https://eprint.iacr.org/2020/591

  18. Mendel, F., Nad, T., Schläffer, M.: Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_16

    CrossRef  Google Scholar 

  19. Mironov, I., Zhang, L.: Applications of SAT solvers to cryptanalysis of hash functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11814948_13

    CrossRef  Google Scholar 

  20. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, Part I, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    CrossRef  Google Scholar 

  21. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, Part I, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9

    CrossRef  Google Scholar 

  22. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2

    CrossRef  Google Scholar 

  23. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2

    CrossRef  Google Scholar 

  24. Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, Part I, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24

    CrossRef  Google Scholar 

  25. Zong, R., Dong, X., Wang, X.: Collision attacks on round-reduced Gimli-Hash/Ascon-Xof/Ascon-Hash. Cryptology ePrint Archive, Report 2019/1115 (2019). https://eprint.iacr.org/2019/1115

Download references

Acknowledgements

We thank the anonymous reviewers of CRYPTO 2020 for their many helpful comments. We thank Daniel J. Bernstein and Florian Mendel for some discussions on the cryptanalysis of Gimli. We also thank Xiaoyang Dong and Rui Zong for the discussions on the contradictions in the 6-round differential characteristic. Fukang Liu and Takanori Isobe are supported by Grant-in-Aid for Scientific Research (B) (KAKENHI 19H02141) for Japan Society for the Promotion of Science and SECOM science and technology foundation. In addition, Fukang Liu is partially supported by National Natural Science Foundation of China (Grant No. 61632012, 61672239) and the National Cryptography Development Fund [No. MMJJ20180201].

Author information

Authors and Affiliations

  1. Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, China

    Fukang Liu

  2. National Institute of Information and Communications Technology, Tokyo, Japan

    Takanori Isobe

  3. University of Hyogo, Hyogo, Japan

    Fukang Liu & Takanori Isobe

  4. FHNW, Windisch, Switzerland

    Willi Meier

Authors
  1. Fukang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Takanori Isobe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Willi Meier
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fukang Liu .

Editor information

Editors and Affiliations

  1. UC San Diego, La Jolla, CA, USA

    Daniele Micciancio

  2. Cornell Tech, New York, NY, USA

    Thomas Ristenpart

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Liu, F., Isobe, T., Meier, W. (2020). Automatic Verification of Differential Characteristics: Application to Reduced Gimli. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12172. Springer, Cham. https://doi.org/10.1007/978-3-030-56877-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-56877-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-56876-4

  • Online ISBN: 978-3-030-56877-1

  • eBook Packages: Computer ScienceComputer Science (R0)