International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128

Authors:
Rui Zong , Verification & Validation Technology Corporation Limited, Shenzhen, China
Xiaoyang Dong , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
Huaifeng Chen , The 6-th Research Institute of China Electronics Corporation, Beijing, China
Yiyuan Luo , School of Computer Science and Engineering, Huizhou University, Huizhou, China; Network and Data Security Key Laboratory of Sichuan Province, University of Electronic Science and Technology of China, Chengdu, China
Si Wang , China Telecom Corporation Limited, Guangzhou, China
Zheng Li , Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
Download:
DOI: 10.46586/tosc.v2021.i1.156-184
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8836
Search ePrint
Search Google
Abstract: When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.
Video from TOSC 2021
BibTeX
@article{tosc-2021-30948,
  title={Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2021, Issue 1},
  pages={156-184},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8836},
  doi={10.46586/tosc.v2021.i1.156-184},
  author={Rui Zong and Xiaoyang Dong and Huaifeng Chen and Yiyuan Luo and Si Wang and Zheng Li},
  year=2021
}