Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-Boxes
نویسندگان
چکیده
We present a cryptanalysis of the ASASA public key cipher introduced at Asiacrypt 2014 [3]. This scheme alternates three layers of affine transformations A with two layers of quadratic substitutions S. We show that the partial derivatives of the public key polynomials contain information about the intermediate layer. This enables us to present a very simple distinguisher between an ASASA public key and random polynomials. We then expand upon the ideas of the distinguisher to achieve a full secret key recovery. This method uses only linear algebra and has a complexity dominated by the cost of computing the kernels of 2 small matrices with entries in F16.
منابع مشابه
Hardware Implementation of Dynamic S-BOX to Use in AES Cryptosystem
One of the major cipher symmetric algorithms is AES. Its main feature is to use S-BOX step, which is the only non-linear part of this standard possessing fixed structure. During the previous studies, it was shown that AES standard security was increased by changing the design concepts of S-BOX and production of dynamic S-BOX. In this paper, a change of AES standard security is studied by produc...
متن کاملTotal break of Zorro using linear and differential attacks
An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Boxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the weak key, reduced round, and even full round attacks. In this paper, using some properties discovered by Wa...
متن کاملOn the security of compressed encryption with partial unitary sensing matrices embedding a secret keystream
The principle of compressed sensing (CS) can be applied in a cryptosystem by providing the notion of security. In this paper, we study the computational security of a CS-based cryptosystem that encrypts a plaintext with a partial unitary sensing matrix embedding a secret keystream. The keystream is obtained by a keystream generator of stream ciphers, where the initial seed becomes the secret ke...
متن کاملDesigning S-boxes for Ciphers Resistant to Differential Cryptanalysis
This paper examines recent work in the area of bent-function-based substitution boxes in order to refine the relationship between s-box construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that m n × s-boxes, m n < , which are partially bent-function-based are the most appropriate choice for private-key cryptosystems constructed as su...
متن کاملCryptanalysis of the Huang-Liu-Yang Cryptosystem from PKC 2012
This short note describes a key-recovery attack against a multi-variate quadratic cryptosystem proposed by Huang, Liu, and Yang (PKC 2012). Our attack is running lattice-basis reduction algorithms on a lattice constructed from the keys in the cryptosystem. The attack takes less than 20 minutes for the proposed parameter sets which are expected to be 80-bit and 128-bit security.
متن کامل