Higher-Order Cryptanalysis of LowMC
نویسندگان
چکیده
LowMC is a family of block ciphers developed particularly for use in multi-party computations and fully homomorphic encryption schemes, where the main performance penalty comes from non-linear operations. Thus, LowMC has been designed to minimize the total quantity of logical “and” operations, as well as the “and” depth. To achieve this, the LowMC designers opted for an incomplete S-box layer that does not cover the complete state, and compensate for it with a very dense, randomly chosen linear layer. In this work, we exploit this design strategy in a cube-like key-recovery attack. We are able to recover the secret key of a round-reduced variant of LowMC with 80-bit security, where the number of rounds is reduced from 11 to 9. Our attacks are independent of the actual instances of the used linear layers and therefore, do not exploit possible weak choices of them. From our results, we conclude that the resulting security margin of 2 rounds is smaller than expected.
منابع مشابه
Optimized Interpolation Attacks on LowMC
LowMC is a collection of block cipher families introduced at Eurocrypt 2015 by Albrecht et al. Its design is optimized for instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. A unique feature of LowMC is that its internal affine layers are chosen at random, and thus each block cipher family contains a huge number of instances. The Eurocrypt paper ...
متن کاملEliminating Variables in Boolean Equation Systems
Systems of Boolean equations of low degree arise in a natural way when analyzing block ciphers. The cipher’s round functions relate the secret key to auxiliary variables that are introduced by each successive round. In algebraic cryptanalysis, the attacker attempts to solve the resulting equation system in order to extract the secret key. In this paper we study algorithms for eliminating the au...
متن کاملImpossible Differential Cryptanalysis on Deoxys-BC-256
Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round...
متن کاملImprovements to the Linear Layer of LowMC: A Faster Picnic
Picnic is a practical approach to digital signatures where the security is largely based on the existence of a one-way function, and the signature size strongly depends on the number of multiplications in the description of that one-way function. The highly parameterizable block cipher family LowMC has the most competitive properties with respect to this metric, and is hence a standard choice. ...
متن کاملIntegral Cryptanalysis and Higher Order Differential Attack
Integral cryptanalysis and higher order differential attack are chosen(or known) plaintext attacks on block ciphers. These attacks have been developed independently and become widely used as strong tools to analyze the security of block ciphers. In this paper, basic idea of these attacks including brief historical comments is described. We give some recent applications of integral cryptanalysis...
متن کامل