International Association
for Cryptologic Research

Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit keys are recommended, there are many standards and real-world applications that use shorter keys. In order to estimate the actual threat imposed by using those short keys, precise estimates for attacks are crucial.In this work we provide optimized implementations of several widely used algorithms on GPUs, leading to interesting insights on the cost of brute force attacks on several real-word applications.In particular, we optimize KASUMI (used in GPRS/GSM), SPECK (used in RFID communication), and TEA3 (used in TETRA). Our best optimizations allow us to try 235.72, 236.72, and 234.71 keys per second on a single RTX 4090 GPU. Those results improve upon previous results significantly, e.g. our KASUMI implementation is more than 15 times faster than the optimizations given in the CRYPTO’24 paper [ACC+24] improving the main results of that paper by the same factor.With these optimizations, in order to break GPRS/GSM, RFID, and TETRA communications in a year, one needs around 11, 22 billion, and 1.36 million RTX 4090 GPUs, respectively.For KASUMI, the time-memory trade-off attacks of [ACC+24] can be performed with 142 RTX 4090 GPUs instead of 2400 RTX 3090 GPUs or, when the same amount of GPUs are used, their table creation time can be reduced to 20.6 days from 348 days, crucial improvements for real world cryptanalytic tasks.

Most modern cryptanalysis results are obtained through theoretical analysis, often relying on simplifications and idealized assumptions. In this work, we use the parallel computational power of GPUs to experimentally verify a small portion of the cryptanalysis results that have been published in recent years. Our focus is on the ciphers Ascon, ChaCha, and Serpent. In none of the attacks we considered did the theoretical estimates fully match the actual practical values. More precisely, we show that the 4.5-round truncated differential with probability one, the 6-round differential-linear (DL), and the 6-round impossible differential distinguishers on Ascon, as well as the best known 7- and 7.5-round DL distinguisher on ChaCha, do not actually work in practice. Moreover, we demonstrate that the best known 10, 11, and 12-round DL attacks on Serpent perform better in practice than previously estimated. Additionally, we provide a new experimentally obtained 9-round DL distinguisher on Serpent, which can be used in 10 and 11-round attacks with reduced data complexity. In a broader sense, we recommend that cryptanalysts experimentally verify reduced versions of their theoretically obtained analysis results whenever possible. In order to simplify this process, we make our optimized code for the ciphers treated here available for future use.

Grassi et al. [Gra+16] introduced subspace trail cryptanalysis as a generalization of invariant subspaces and used it to give the first five round distinguisher for Aes. While it is a generic method, up to now it was only applied to the Aes and Prince. One problem for a broad adoption of the attack is a missing generic analysis algorithm. In this work we provide efficient and generic algorithms that allow to compute the provably best subspace trails for any substitution permutation cipher.