Revisiting Gilbert’s known-key distinguisher-Reference-Cited by-同舟云学术

Revisiting Gilbert’s known-key distinguisher

Published:2020-05-04 Issue:7 Volume:88 Page:1401-1445
ISSN:0925-1022
Container-title:Designs, Codes and Cryptography
language:en
Short-container-title:Des. Codes Cryptogr.

Author:

Grassi Lorenzo,Rechberger Christian

Abstract

AbstractKnown-key distinguishers have been introduced by Knudsen and Rijmen in 2007 to better understand the security of block ciphers in situations where the key can not be considered to be secret, i.e. the “thing between secret-key model and hash function use-cases”. Trying to find a rigorous model to fit this intuition is still ongoing. The most recent advance by Gilbert (Asiacrypt 2014) describes a new model that—even if it is well justified—seemingly does not match this intuition. AES is often considered as a target of such analyses, simply because AES or its building blocks are used in many settings that go beyond classical encryption. Consider AES-128. Results in the secret-key model cover up to 6 rounds, while results in the chosen-key model reach up to 9 rounds. Gilbert however showed a result in the known-key model that goes even further, covering 10 rounds. Does it mean that the use cases corresponding to the cryptanalysis of hash-function use-cases are inherently less efficient, or is it rather an artifact of the new model? In this paper we give strong evidence for the latter. In Gilbert’s work, two types of arguments or rather conjectures are put forward suggesting that the new model is meaningful. Firstly that the number of “extension rounds” due to the new model is limited to two. And secondly that only a distinguisher that exploits the uniform distribution property can be extended in such way. We disprove both conjectures and arrive at the following results: First, we are also able to show that more than two extension rounds are possible. As a result of this, we describe the first known-key distinguishers on 12 rounds of AES that fit into Gilbert’s model. The second conjecture is disproven by showing that the technique proposed by Gilbert can also be used to extend a known-key distinguisher based on another property: truncated differentials. A potential conclusion of this work would be that the counter-intuitive gap between Gilbert’s known-key model and the chosen-key model is wider than initially thought. We however conclude that results in Gilbert’s model are due to an artifact in the model. To remedy this situation, we propose a refinement of the known-key model which restores its original intent to fit the original intuition.

Funder

Radboud University

Publisher

Springer Science and Business Media LLC

Subject

Applied Mathematics,Computer Science Applications

Link

https://link.springer.com/content/pdf/10.1007/s10623-020-00756-5.pdf

Reference34 articles.

1. Andreeva, E., Bogdanov, A., Mennink, B.: Towards Understanding the Known-Key Security of Block Ciphers. In: FSE 2013, volume 8424 of LNCS, pp. 348–366, (2013)

2. Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi, 2009. In: Presented at the Rump Session of Cryptographic Hardware and Embedded Systems—CHES (2009)

3. Bellare, M., Micciancio, D.: A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost. In: EUROCRYPT 1997, vol. 1233 of LNCS, pp. 163–192 (1997).

4. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Note on zero-sum distinguishers of Keccak-f. 2010. Unpublished, http://keccak.noekeon.org/NoteZeroSum.pdf.

5. Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: CRYPTO 2009, volume 5677 of LNCS, pp. 231–249, (2009)

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. $\mathrm{C}\eta\iota \text{DAE}$: Cryptographically Distinguishing Autoencoder for Cipher Cryptanalysis;GLOBECOM 2023 - 2023 IEEE Global Communications Conference;2023-12-04

2. Distinguishing Error of Nonlinear Invariant Attacks;Lecture Notes in Computer Science;2022

3. Weak-Key Distinguishers for AES;Selected Areas in Cryptography;2021

4. Sequential Indifferentiability of Confusion-Diffusion Networks;Lecture Notes in Computer Science;2021