Cryptanalysis For Lightweight Cryptographic Algorithms

We have entered the era of interconnection of all things.With the rapid development of sensor networks,Internet of things and distributed control systems,communication equipments are made intelligent,travel tools are made intelligent,household appliances are made intelligent,and industrial production is made intelligent.Intelligence has become the theme of this era.The security of data,equipments,and transmission has become the crucial issue.Cryptography provides the theoretical basis and support for ensuring data security.Symmetric cryptographic algorithms provide a strong guarantee for the confidentiality,integrity,and authentication of data.Symmetric ciphers include stream ciphers,block ciphers,and authenticated encryption algorithms.As encryption algorithms,stream ciphers and block ciphers are used to ensure the confidentiality of data.Authenticated encryption algorithms can ensure both confidentiality and integrity of data.Most of the existing cryptographic algorithms are designed for personal computers or server environment.These algorithms need a lot of computing resources.This kind of algorithms can not be applied in devices with limited computing resources.Most of the existing standard cryptographic algorithms can not provide satisfactory performance in resource constrained devices.Therefore,we need lightweight cryptographic algorithms to meet the requirements of the intelligent era.In March 2019,National Institute of Standards and Technology(NIST)launched the lightweight cryptography competition.The main purpose of this competition is to solicit,evaluate and standardize lightweight cryptographic algorithms suitable for resource constrained environments.In August of the same year,NIST published the list of candidate algorithms entering the second round,including 32 candidate algorithms.In March 2021,10 candidate algorithms entered the last round of evaluation.Drygascon is an authenticated encryption algorithm as a candidate algorithm in the second round of NIST lightweight cryptographic competition.Drygascon adopts the design idea of combining Drysponge mode with built-in permutation(named as F permutation),which provides a design scheme against physical attacks such as side channel attacks.The Drysponge model is a variant of Sponge Duplex construction.Absorbing data is not done by XOR operation,but done by F.The design of the F permutation is similar to but different from the Ascon permutation.F permutation uses the same nonlinear operation as Ascon permutation.In order to resist physical attacks,F permutation introduces the input data into the whole state in the form of"serial number" by the MixSX32 permutation in the F.Drygascon includes Drygascon128 and Drygascon256.Each version contains the authenticated encryption algorithm and the hash function.In 2020,Tezcan gave the distinguishers of Drygascon128,including:a 3-round subspace trail,a 3.5-round truncation differential trail and a 5-round differential-linear trail,and gave a 4-round subspace trail of Drygascon256.In Tezcan's paper,the influence of MixSX32 permutation on differential propagations is not considered,and MixSX32 permutation is regarded as a simple linear operation.When searching for distinguishers,set the input difference of MixSX32 permutation to zero,that is,the difference of input data is zero.MixSX32 permutation absorbs input data,which is the part of F permutation and is an important part of Drygascon.Using properties of MixSX32 permutation,this paper gives collision attacks and forgery attacks on Drygascon.And the linear layer of GASCON permutation used in the Tezcan's distinguishers is not the linear layer of Drygascon.Therefore,there is no public third-party cryptanalysis for Drygascon.By analyzing the F permutation of Drygascon,this paper gives collision attacks and forgery attacks of Drygascon.F permutation consists of Mix permutation and G permutation.Mix permutation is made up of MixSX32 permutation and GASCON permutation.We constructed collisions at three different positions inside the Mix permutation including:the output of the first MixSX32 permutation,the output of the second MixSX32 permutation and the output of the third MixSX32 permutation.For Drygascon128,the internal collisions of Mix permutation can be used to construct the related-key collisions,and the collisions at the output of the third MixSX32 permutation of Mix permutation can be used to construct the the weak-key collisions.For Drygascon256,the collisions at the output of the first MixSX32 of Mix permutation could be used to build the related-key collisions.Using the related-key collisions,the related-key forgeries can be constructed by replacing the input data.For Drygascon 128,the related-key collisions at the first MixSX32 of the Mix permutation could be used to make related-key forgeries with the probability 1;the collisions at the output position of the second MixSX32 permutation of Mix could be used to make related-key forgeries with the optimal probability 2-6;the collisions at the output position of the third MixSX32 permutation of Mix could be used to make related-key forgeries with the optimal probability of 2-10.For the Drygascon256,the collisions at the output position of the first MixSX32 of the Mix permutation could be used to make related-key forgeries with the probability of 1.Using the weak-key collisions,the weak-key forgeries can be constructed by replacing the input data.For Drygascon128,the collisions at the output position of the third MixSX32 of Mix permutation could be used to make weak-key forgeries with the probability of 2-13.The number of weak keys is relevant to the key length.For a weak-key class,there are 232 128-bit keys,2160 256-bit keys,and 2352 448-bit keys.BORON is a lightweight block cipher based on SPN(Substitution-Permutation Network).The block length is 64-bit,the key length can be 80-bit and 128-bit,and the total number of rounds is 25.BORON adopts the usual design,which is suitable for hardware and software.There is no third-party cryptanalysis except the security evaluation in the specification.This paper presents differential cryptanalysis and linear cryptanalysis of BORONFirstly,by using the automatic search technique,this paper obtained an 8round differential trail with the optimal probability 2-62,a 9-round linear trail with the optimal bias 2-30,a 10-round related-key differential trail with the optimal probability 2-55,and four 7-round impossible differential trails.And we make sure that 9-round available differential trails and 10-round available linear trails do not exist.Using the 8-round differential trail with the optimal probability,this paper introduces a key-recovery attack against 9-round BORON whose time complexity is 256,data complexity is 263,and memory complexity is 224.Utilizing the 9-round linear trail with the optimal bias,this paper illustrates a key-recovery attack against 11-rounds BORON whose time complexity is 2123,data complexity is 263,and memory complexity is 242.