International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Generalized Nonlinear Invariant Attack and a New Design Criterion for Round Constants

Authors:
Yongzhuang Wei , Guilin University of Electronic Technology, Guilin, Guangxi Province 541004
Tao Ye , Guilin University of Electronic Technology, Guilin, Guangxi Province 541004
Wenling Wu , TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of Sciences, Beijing 100190
Enes Pasalic , Guilin University of Electronic Technology, Guilin, Guangxi Province 541004, P.R. China; University of Primorska, FAMNIT, Koper 6000
Download:
DOI: 10.13154/tosc.v2018.i4.62-79
URL: https://tosc.iacr.org/index.php/ToSC/article/view/7361
Search ePrint
Search Google
Presentation: Slides
Abstract: The nonlinear invariant attack was introduced at ASIACRYPT 2016 by Todo et al.. The attack has received extensive attention of cryptographic community due to its practical application on the full-round block ciphers SCREAM, iSCREAM, and Midori64. However, the attack heavily relies on the choice of round constants and it becomes inefficient in the case these constants nonlinearly affect the so-called nonlinear invariants. In this article, to eliminate the impact from the round constants, a generalized nonlinear invariant attack which uses a pair of constants in the input of nonlinear invariants is proposed. The efficiency of this extended framework is practically confirmed by mounting a distinguishing attack on a variant of full-round iSCREAM cipher under a class of 280 weak keys. The considered variant of iSCREAM is however resistant against nonlinear invariant attack of Todo et al.. Furthermore, we investigate the resistance of block ciphers against generalized nonlinear invariant attacks with respect to the choice of round constants in an extended framework. We introduce a useful concept of closed-loop invariants of the substitution box (S-box) and show that the choice of robust round constants is closely related to the existence of linear structure of the closed-loop invariants of the substitution layer. In particular, we demonstrate that the design criteria for the round constants in Beierle et al.’s work at CRYPTO 2017 is not an optimal strategy. The round constants selected using this method may induce certain weaknesses that can be exploited in our generalized nonlinear invariant attack model. This scenario is efficiently demonstrated in the case of a slightly modified variant of the Midori64 block cipher.
Video from TOSC 2018
BibTeX
@article{tosc-2018-29246,
  title={Generalized Nonlinear Invariant Attack and a New Design Criterion for Round Constants},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2018, Issue 4},
  pages={62-79},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/7361},
  doi={10.13154/tosc.v2018.i4.62-79},
  author={Yongzhuang Wei and Tao Ye and Wenling Wu and Enes Pasalic},
  year=2018
}