Research On Related-key Boomerang Attack And Rectangle Attack

In the past decades,information technology has achieved unprecedented de-velopment,and information security has gradually been paid more and more attention all over the world.As the cornerstone of information security,cryptog-raphy has been applied to more fields.Cryptography divides the cipher algorithm into symmetric cipher algorithm and asymmetric cipher algorithm.And symmet-ric cryptography can be divided into block cipher,stream cipher,hash algorithm and authentication encryption algorithm.Symmetric cryptographic algorithm is widely used in the fields of data encryption and message authentication due to its advantages of fast encryption speed and easy implementation of software and hardware.This paper mainly focuses on boomerang attack and rectangle attack,and analyzes the security of several tweakable block ciphers or lightweight cipher-s.In the process of research,we propose a new model of related-key boomerang attack and rectangle attack,and apply the model to SKINNY and GIFT.In addi-tion,we improve the existing MILP model used to search for related-key rectangle distinguishers of Deoxys-BC,based on which we obtain better distinguishers,and apply them to Deoxys-BC.Cryptanalysis of Tweakable Block Cipher SKINNYThe concept of tweakable block cipher was first proposed by Moses Liskov et al.,aiming to ensure the efficiency of the algorithm and the variability of encryption.Compared with traditional block cipher,except for a plaintext P and a master key K,it takes a tweak T as the third input.SKINNY family was proposed by Christof Beierle et al.at CRYPTO 2016,whose goal is to compete with NSA recent design SIMON in terms of hardware and software performances.The SKINNY algorithm adopts the TWEAKEY framework,so the connection of the tweak and the master key is called a tweakey.SKINNY algorithm is divided into 6 versions according to the block size and tweakey size,which can be denoted as SKINNY-n-t,where n is the block size that can be 64 or 128,and t is the tweakey size,which can be t=n,t=2n and t=3n.Since SKINNY was proposed,there have been a number of third-party cryptan-alytic results from all over the world.Tolba et al.applied impossible differential attacks to 18-,20-and 22-round SKINNY-n-n,SKINNY-n-2n and SKINNY-n-3n,respectively,in the single-key model at AFRICACRYPT 2017.At ToSC 2017,Liu et al.searched related-tweakey impossible differentials and related-tweakey rectangle distinguishers and applied them to analyze up to 19-,23-and 27-round SKINNY-n-n,SKINNY-n-2n and SKINNY-n-3n respectively.At ASIACRYPT 2018,Shi et al.analyzed 22-round SKINNY-128-384 using the Demirci-Selcuk meet-in-the-middle attack.At ToSC 2019,Song et al.revisited the Boomerang Connectivity Table and recalculated the probabilities of some related-tweakey boomerang distinguishers proposed at ToSC 2017.In this paper,we propose a,new related-key rectangle attack model and apply it to the SKINNY-128-384 algorithm.Successfully reduced the time complexity of 27-round related-tweakey rectangle attack on SKINNY-128-384 by a factor of 237,and give a 28-round related-tweakey rectangle attack on SKINNY-128-384 with time complexity of 2315.25 for the first time.Cryptanalysis of Lightweight Block Cipher GIFTThe development of ubiquitous computing applications promotes the rapid development,of lightweight,cryptographic algorithms.Many lightweight cryp-tographic algorithms appeared,such as PRESENT and PHOTON.In order to celebrate the 10th anniversary of PRESENT algorithm,Banik et al.proposed GIFT block cipher algorithm at CHES 2017 conference,which is an upgraded ver-sion of PRESENT algorithm.GIFT can be divided into GIFT-64 and GIFT-128 according to different block sizes.At IWSEC 2018,Sasaki introduced a MitM attack on 15-round GIFT-64 with a time complexity 2112.At CT-RSA 2019,Zhu et al.analyzed the 19-round GIFT-64 with a.12-round differential characteristic under the single-key mode,and give a 22-round differential attack for GIFT-128.At ACISP 2019,Liu and Sasaki explored the BCT effect on GIFT-64 and GIFT-128 by a SAT-based method,and gave a 23-round key recovery attack on GIFT-64.Concurrently,Chen et al.also gave a 23-round key recovery attack based on the generalized model of related-key rectangle attack proposed by Liu.In this paper,we focus on the security of GIFT algorithm in terms of related-key rectangle attack.Based on the 19-round related-key rectangle distinguisher of GIFT-64 proposed by Chen et al.,after extending 2 and 3 rounnds forward and backward respectively,and in combination with the new model of related-key rectangle attack we proposed,we give the 24-round related-key rectangle attack on GIFT-64 for the first time,and the time complexity is 292.81.Cryptanalysis of Reduced-round Deoxys-BCAuthenticated encryption(AE)is a form of encryption algorithm providing confidentiality,integrity and authenticity assurances on messages.The CAESAR competition was launched in 2014 for a more secure authenticated encryption algorithm.After four-round screenings by cryptographers and engineers from around the world,six authenticated encryption algorithms were selected as win-ners.Deoxys family is designed by Jeremy Jean et al.and consists of two versions that are Deoxys-I and Deoxys-II,both of which adopt the tweakable block ci-pher Deoxys-BC as their internal primitive.Deoxys-BC also adopts TWEAKEY framework and is divided into two versions Deoxys-BC-256 and Deoxys-BC-384 according to the tweakey size.Cid et al.introduced the first third-party analysis of Deoxys-BC at ToSC 2017.They proposed a new method to search for related-key boomerang trail-s with Mixed Integer Linear Programming(MILP)by incorporating linear in-compatibility.They gave related-key rectangle attacks against 9-round and 10-round Deoxys-BC-256,12-round and 13-round Deoxys-BC-384.Later,based on the related-key boomerang paths proposed by Cid,Sasaki introduced improved boomerang attacks on reduced-round Deoxys-BC-256 and Deoxys-BC-384 with lower complexities.At EUROCRYPT 2018,Cid et al.proposed a new technique named Boomerang Connectivity Table(BCT),and increased the probability of the 10-round distinguisher of Deoxys-BC-384 by a factor of 20.6.At ToSC 2019,Wang and Peyrin and Song et al.revisited the BCT and proposed a general-ized framework which can be applied in multiple rounds of boomerang switch.Wang and Peyrin introduced a tool named Boomerang Difference Table(BDT),which is an improvement of the BCT and allows a systematic evaluation of the boomerang switch through multiple rounds.In this paper,by adding more constraints,we improved the MILP model pro-posed by Cid to search for the related-key rectangle distinguisher.After extending the obtained related-key rectangle distinguisher for several rounds,the number of active bytes was reduced compared with that,before.With the new distinguish-er,we reduced the analysis complexity of the previous 10-round Deoxys-BC-256 and 13-round Deoxys-BC-384 attack,and give the 11-round Deoxys-BC-256 and 14-round Dcoxys-BC-384 related-tweakey rectangle attacks for the first time,the time complexity are 2249.9 and 2282.7,respectively.