International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Commutative Cryptanalysis Made Practical

Authors:
Jules Baudrin , Inria, Paris, France
Patrick Felke , University of Applied Sciences Emden/Leer, Emden, Germany
Gregor Leander , Ruhr University Bochum, Bochum, Germany
Patrick Neumann , Ruhr University Bochum, Bochum, Germany
Léo Perrin , Inria, Paris, France
Lukas Stennes , Ruhr University Bochum, Bochum, Germany
Download:
DOI: 10.46586/tosc.v2023.i4.299-329
URL: https://tosc.iacr.org/index.php/ToSC/article/view/11290
Search ePrint
Search Google
Abstract: About 20 years ago, Wagner showed that most of the (then) known techniques used in the cryptanalysis of block ciphers were particular cases of what he called commutative diagram cryptanalysis. However, to the best of our knowledge, this general framework has not yet been leveraged to find concrete attacks.In this paper, we focus on a particular case of this framework and develop commutative cryptanalysis, whereby an attacker targeting a primitive E constructs affine permutations A and B such that E ○ A = B ○ E with a high probability, possibly for some weak keys. We develop the tools needed for the practical use of this technique: first, we generalize differential uniformity into “A-uniformity” and differential trails into “commutative trails”, and second we investigate the commutative behaviour of S-box layers, matrix multiplications, and key additions.Equipped with these new techniques, we find probability-one distinguishers using only two chosen plaintexts for large classes of weak keys in both a modified Midori and in Scream. For the same weak keys, we deduce high probability truncated differentials that can cover an arbitrary number of rounds, but which do not correspond to any high probability differential trails. Similarly, we show the existence of a trade-off in our variant of Midori whereby the probability of the commutative trail can be decreased in order to increase the weak key density. We also show some statistical patterns in the AES super S-box that have a much higher probability than the best differentials, and which hold for a class of weak keys of density about 2−4.5.
BibTeX
@article{tosc-2023-33691,
  title={Commutative Cryptanalysis Made Practical},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={023 No. 4},
  pages={299-329},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/11290},
  doi={10.46586/tosc.v2023.i4.299-329},
  author={Jules Baudrin and Patrick Felke and Gregor Leander and Patrick Neumann and Léo Perrin and Lukas Stennes},
  year=2023
}