## CryptoDB

### Eik List

#### Publications

**Year**

**Venue**

**Title**

2024

EUROCRYPT

Diving Deep into the Preimage Security of AES-like Hashing
Abstract

Since the seminal works by Aoki and Sasaki, meet-in-the-middle (MITM) attacks are known to be effective for preimage and collision attacks of hash functions. At Eurocrypt'21, Bao et al. initiated the automation of such preimage and collision MITM attacks for AES-like hash functions, which brought up models that could capture larger search spaces than what could be studied manually before. Follow-up works then integrated several techniques such as guess-and-determine, bidirectional propagation, and states in superposition. However, this research direction has been far from complete. In previous models, initial states were limited to single independent states and were not allowed to have bytes in superposition. Moreover, S-box inputs in superposition could not be propagated unless the full byte was guessed. Besides more advanced techniques, the general question of how the state-of-the-art results could be improved remained of high interest.
In this work, we lift some of these limitations with novel techniques: We introduce the S-box linearization technique for automated MITM preimage attacks so that a superposition of bytes active in both the for- and the backward neutral chunk can pass through an S-box. We propose what we call distributed initial structures that allow more general definitions of initial states from multiple states to enlarge the search space. Beyond those, we exploit the similarity between encryption function and key schedule in constructions such as Whirlpool, and Streebog in our models to reduce the consumed degrees of freedom. To better integrate the proposed techniques, we present a refined and lightweight MILP-based search model.
We illustrate the effectiveness of our enhanced MITM framework with improved preimage attacks on hash-function modes of standardized AES-like designs. We obtain the first preimage attacks on 10-round AES-192, 10-round Rijndael-192/256, and 7.75-round Whirlpool. Moreover, we can reduce time or memory complexities for attacks on 5- and 6-round Whirlpool, and 7.5- and 8.5-round Streebog. We show that our model is not limited to preimage attacks with improved collision attacks on 6- and 6.5-round Whirlpool.

2020

TOSC

Extended Truncated-differential Distinguishers on Round-reduced AES
📺
Abstract

Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher.For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives.The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties.

2020

ASIACRYPT

Towards Closing The Security Gap of Tweak-aNd-Tweak (TNT)
📺
Abstract

Tweakable block ciphers (TBCs) have been established as a valuable replacement for many applications of classical block ciphers. While several dedicated TBCs have been proposed in the previous years, generic constructions that build a TBC from a classical block cipher are still highly useful, for example, to reuse an existing implementation. However, most generic constructions need an additional call to either the block cipher or a universal hash function to process the tweak, which limited their efficiency.
To address this deficit, Bao et al. proposed Tweak-aNd-Tweak (TNT) at EUROCRYPT'20. Their construction chains three calls to independent keyed permutations and adds the unmodified tweak to the state in between the calls. They further suggested an efficient instantiation TNT-AES that was based on round-reduced AES for each of the permutations. Their work could prove 2n/3-bit security for their construction, where n is the block size in bits. Though, in the absence of an upper bound, their analysis had to consider all possible attack vectors with up to 2^n time, data, and memory. Still, closing the gap between both bounds remained a highly interesting research question.
In this work, we show that a variant of Mennink's distinguisher on CLRW2 with O(sqrt{n} 2^{3n/4}) data and O(2^{3n/2}) time from TCC'18 also applies to TNT. We reduce its time complexity to O(sqrt{n} 2^{3n/4}), show the existence of a second similar distinguisher, and demonstrate how to transform the distinguisher to a key-recovery attack on TNT-AES[5,*,*] from an impossible differential. From a constructive point of view, we adapt the rigorous STPRP analysis of CLRW2 by Jha and Nandi to show O(2^{3n/4}) TPRP security for TNT. Thus, we move towards closing the gap between the previous proof and attacks for TNT as well as its proposed instance.

2020

TOSC

Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers
📺
Abstract

Tweakable block ciphers (TBCs) have proven highly useful to boost the security guarantees of authentication schemes. In 2017, Cogliati et al. proposed two MACs combining TBC and universal hash functions: a nonce-based MAC called NaT and a deterministic MAC called HaT. While both constructions provide high security, their properties are complementary: NaT is almost fully secure when nonces are respected (i.e., n-bit security, where n is the block size of the TBC, and no security degradation in terms of the number of MAC queries when nonces are unique), while its security degrades gracefully to the birthday bound (n/2 bits) when nonces are misused. HaT has n-bit security and can be used naturally as a nonce-based MAC when a message contains a nonce. However, it does not have full security even if nonces are unique.This work proposes two highly secure and efficient MACs to fill the gap: NaT2 and eHaT. Both provide (almost) full security if nonces are unique and more than n/2-bit security when nonces can repeat. Based on NaT and HaT, we aim at achieving these properties in a modular approach. Our first proposal, Nonce-as-Tweak2 (NaT2), is the sum of two NaT instances. Our second proposal, enhanced Hash-as-Tweak (eHaT), extends HaT by adding the output of an additional nonce-depending call to the TBC and prepending nonce to the message. Despite the conceptual simplicity, the security proofs are involved. For NaT2 in particular, we rely on the recent proof framework for Double-block Hash-then-Sum by Kim et al. from Eurocrypt 2020.

2019

TOSC

DoveMAC: A TBC-based PRF with Smaller State, Full Security, and High Rate
📺
Abstract

Recent parallelizable message authentication codes (MACs) have demonstrated the benefit of tweakable block ciphers (TBCs) for authentication with high security guarantees. With ZMAC, Iwata et al. extended this line of research by showing that TBCs can simultaneously increase the number of message bits that are processed per primitive call. However, ZMAC and previous TBC-based MACs needed more memory than sequential constructions. While this aspect is less an issue on desktop processors, it can be unfavorable on resource-constrained platforms. In contrast, existing sequential MACs limit the number of message bits to the block length of the primitive n or below.This work proposes DoveMAC, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, where n is the state size, t the tweak length, and k the key length of the underlying primitive. DoveMAC provides (n+min(n+t))/2 bits of security, and processes n+t bits per primitive call. Our construction is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call. By reserving a single tweak bit for domain separation, we derive a single-key variant DoveMAC1k.

2018

CRYPTO

Rasta: A Cipher with Low ANDdepth and Few ANDs per Bit
📺
Abstract

Recent developments in multi party computation (MPC) and fully homomorphic encryption (FHE) promoted the design and analysis of symmetric cryptographic schemes that minimize multiplications in one way or another. In this paper, we propose with Rastaa design strategy for symmetric encryption that has ANDdepth d and at the same time only needs d ANDs per encrypted bit. Even for very low values of d between 2 and 6 we can give strong evidence that attacks may not exist. This contributes to a better understanding of the limits of what concrete symmetric-key constructions can theoretically achieve with respect to AND-related metrics, and is to the best of our knowledge the first attempt that minimizes both metrics simultaneously. Furthermore, we can give evidence that for choices of d between 4 and 6 the resulting implementation properties may well be competitive by testing our construction in the use-case of removing the large ciphertext-expansion when using the BGV scheme.

2018

ASIACRYPT

ZCZ – Achieving n-bit SPRP Security with a Minimal Number of Tweakable-Block-Cipher Calls
Abstract

Strong Pseudo-random Permutations (SPRPs) are important for various applications. In general, it is desirable to base an SPRP on a single-keyed primitive for minimizing the implementation costs. For constructions built on classical block ciphers, Nandi showed at ASIACRYPT’15 that at least two calls to the primitive per processed message block are required for SPRP security, assuming that all further operations are linear. The ongoing trend of using tweakable block ciphers as primitive has already led to MACs or encryption modes with high security and efficiency properties. Thus, three interesting research questions are hovering in the domain of SPRPs: (1) if and to which extent the bound of two calls per block can be reduced with a tweakable block cipher, (2) how concrete constructions could be realized, and (3) whether full n-bit security is achievable from primitives with n-bit state size.The present work addresses all three questions. Inspired by Iwata et al.’s ZHash proposal at CRYPTO’17, we propose the ZCZ (ZHash-Counter-ZHash) construction, a single-key variable-input-length SPRP based on a single tweakable block cipher whose tweak length is at least its state size. ZCZ possesses close to optimal properties with regards to both performance and security: not only does it require only asymptotically $$3\ell /2$$ calls to the primitive for $$\ell $$-block messages; we show that this figure is close to the minimum by an PRP distinguishing attack on any construction with tweak size of $$\tau = n$$ bits and fewer than $$(3\ell -1)/2$$ calls to the same primitive. Moreover, it provides optimal n-bit security for a primitive with n-bit state and tweak size.

2017

TOSC

ZMAC+ - An Efficient Variable-output-length Variant of ZMAC
Abstract

There is an ongoing trend in the symmetric-key cryptographic community to construct highly secure modes and message authentication codes based on tweakable block ciphers (TBCs). Recent constructions, such as Cogliati et al.’s HaT or Iwata et al.’s ZMAC, employ both the n-bit plaintext and the t-bit tweak simultaneously for higher performance. This work revisits ZMAC, and proposes a simpler alternative finalization based on HaT. As a result, we propose HtTBC, and call its instantiation with ZHash as a hash function ZMAC+. Compared to HaT, ZMAC+ (1) requires only a single key and a single primitive. Compared to ZMAC, our construction (2) allows variable, per-query parametrizable output lengths. Moreover, ZMAC+ (3) avoids the complex finalization of ZMAC and (4) improves the security bound from Ο(σ2/2n+min(n,t)) to Ο(q/2n + q(q + σ)/2n+min(n,t)) while retaining a practical tweak space.

#### Program Committees

- Asiacrypt 2023

#### Coauthors

- Farzaneh Abed (4)
- Zhenzhen Bao (1)
- Ritam Bhaumik (1)
- Shiyao Chen (1)
- Wonseok Choi (1)
- Christoph Dobraunig (1)
- Maria Eichlseder (1)
- Scott R. Fluhrer (1)
- Christian Forler (3)
- Lorenzo Grassi (1)
- Tony Grochow (1)
- Chun Guo (1)
- Jian Guo (3)
- Akiko Inoue (1)
- Virginie Lallemand (1)
- Gregor Leander (1)
- ByeongHak Lee (1)
- Jooyoung Lee (1)
- Stefan Lucks (4)
- David A. McGrew (1)
- Florian Mendel (1)
- Kazuhiko Minematsu (1)
- Yusuke Naito (1)
- Mridul Nandi (3)
- Christian Rechberger (1)
- Danping Shi (1)
- Ling Song (1)
- Jakob Wenzel (4)
- Tianyu Zhang (1)