International Association
for Cryptologic Research

<p> Forkcipher-based AEADs have emerged as lightweight and efficient cryptographic modes, making them suitable for resource-constrained environments such as IoT devices and distributed decryption through MPC. These schemes, including prominent examples like Eevee (Jolteon, Espeon, and Umbreon), PAEF, RPAEF, and SAEF, leverage the properties of forkciphers to achieve enhanced performance. However, their security in terms of key commitment, a critical property for certain applications such as secure cloud services, as highlighted by Albertini et al. (USENIX 2022), has not been comprehensively analyzed until now.</p><p>In this work, we analyze the key-commitment properties of forkcipher-based AEADs. We found that some of the forkcipher-based AEAD schemes lack key-commitment properties, primarily due to the distinctive manner in which they process associated data and plaintext. For two different keys and the same nonce, an adversary can identify associated data and plaintext blocks that produce identical ciphertext-tags with a complexity of $O(1)$. Our findings apply to various forkcipher-based AEADs, including Eevee, PAEF, and SAEF, and naturally extend to less strict frameworks, such as CMT-1 and CMT-4.</p><p>These findings highlight a significant limitation in the robustness of forkcipher-based AEADs. While these modes are attractive for their lightweight design and efficiency, their deployment should be restricted in scenarios where explicit robustness or key-commitment security is required. </p>

In this paper, we introduce AETHER, an authenticated encryption scheme that achieves ultra-high throughput and low energy consumption, supporting a 256- bit key and a 128-bit tag. While inspired by an AEGIS-like structure, AETHER stands out with a completely redesigned round-update function. We replace the AES round function with a new inner function optimized for ultra-low latency and energy consumption. This function incorporates Orthros’s S-box and a 16x16 binary matrix from Akleylek et al., leading to a 1.56 times reduction in energy consumption and a 1.25 times reduction in delay compared to the AES round function. To further optimize hardware performance, we design the general construction of the roundupdate function to be more hardware-friendly, allowing parallel execution of the inner function on all 128-bit words, thereby enhancing both throughput and security against collision-based forgery attacks. AETHER achieves a throughput of 2.1 Tbit/s and an energy consumption of only 204.31 nJ, in the Nangate 15 nm standard cell library and a throughput of 5.23 Tbit/s and energy consumption of 1.83 nJ using the CNFET-OCL 5nm library, outperforming all existing AEADs.

Recently, there has been a surge of interest in the security of authenticated encryption with associated data (AEAD) within the context of key commitment frameworks. Security within this framework ensures that a ciphertext chosen by an adversary does not decrypt to two different sets of key, nonce, and associated data. Despite this increasing interest, the security of several widely deployed AEAD schemes has not been thoroughly examined within this framework. In this work, we assess the key committing security of several AEAD schemes. First, the AEGIS family, which emerged as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), and has been proposed to standardization at the IETF. A now outdated version of the draft standard suggested that AEGIS could qualify as a fully committing AEAD scheme; we prove that it is not the case by proposing a novel attack applicable to all variants, which has been experimentally verified. We also exhibit a key committing attack on Rocca-S. Our attacks are executed within the FROB game setting, which is known to be one of the most stringent key committing frameworks. This implies that they remain valid in other, more relaxed frameworks, such as CMT-1, CMT-4, and so forth. Finally, we show that applying the same attack techniques to Rocca and Tiaoxin-346 does not compromise their key-committing security. This observation provides valuable insights into the design of such secure round update functions for AES-based AEAD schemes.

In this paper, we propose a new family of low-latency pseudorandom functions (PRFs), dubbed Gleeok.Gleeok utilizes three 128-bit branches to achieve a 256-bit key size while maintaining low latency. The first two branches are specifically designed to defend against statistical attacks, especially for differential attacks, while the third branch provides resilience against algebraic attacks. This unique design enables Gleeok to offer ultralow latency while supporting 256-bit keys, setting it apart from existing ciphers dedicated to low-latency requirements. In addition, we propose wide-block variants having three 256-bit branches. We also present an application of Gleeok to short-input authenticated encryption which is crucial for memory encryption and various realtime communication applications. Furthermore, we present comprehensive hardware implementation results that establish the capabilities of Gleeok and demonstrate its competitiveness against related schemes in the literature. In particular, Gleeok achieves a minimum latency of roughly 360 ps with the NanGate 15 nm cell library and is thus on par with related low-latency schemes that only feature 128-bit keys while maintaining minimal overhead when equipped in an authenticated mode of operation.

At Asiacrypt 2017, Rønjom et al. presented key-independent distinguishers for different numbers of rounds of AES, ranging from 3 to 6 rounds, in their work titled “Yoyo Tricks with AES”. The reported data complexities for these distinguishers were 3, 4, 225.8, and 2122.83, respectively. In this work, we revisit those key-independent distinguishers and analyze their success probabilities.We show that the distinguishing algorithms provided for 5 and 6 rounds of AES in the paper of Rønjom et al. are ineffective with the proposed data complexities. Our thorough theoretical analysis has revealed that the success probability of these distinguishers for both 5-round and 6-round AES is approximately 0.5, with the corresponding data complexities mentioned earlier.We investigate the reasons behind this seemingly random behavior of those reported distinguishers. Based on our theoretical findings, we have revised the distinguishing algorithm for 5-round AES. Our revised algorithm demonstrates success probabilities of approximately 0.55 and 0.81 for 5-round AES, with data complexities of 229.95 and 230.65, respectively. We have also conducted experimental tests to validate our theoretical findings, which further support our findings.Additionally, we have theoretically demonstrated that improving the success probability of the distinguisher for 6-round AES from 0.50000 to 0.50004 would require a data complexity of 2129.15. This finding invalidates the reported distinguisher by Rønjom et al. for 6-round AES.

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

In Asiacrypt 2017, Rønjom et al. reported some interesting generic properties of SPNs, leading to what they call the Yoyo trick, and applied it to find the most efficient distinguishers on AES. In this work, we explore the Yoyo idea in distinguishing public permutations for the first time. We introduce the notion of nested zero difference pattern which extends the Yoyo idea and helps to compose it using improbable and impossible differential strategies to penetrate higher number of rounds. We devise a novel inside-out application of Yoyo which enables us to start the Yoyo game from an internal round. As an application, we investigate the AES-based public permutation AESQ used inside the authenticated cipher PAEQ. We achieve the first deterministic distinguisher of AESQ up to 8 rounds and the first 9-round distinguisher of AESQ that start from the first round with a practical complexity of around 226. We manage to augment Yoyo with improbable and impossible differentials leading to distinguishers on 9, 10, 12 rounds with complexities of about 22, 228, 2126 respectively. Further, with impossible differentials and a bi-directional Yoyo strategy, we obtain a 16-round impossible differential distinguisher with a complexity of 2126. Our results outperform all previous records on AESQ by a substantial margin. As another application, we apply the proposed strategies on AES in the known-key setting leading to one of the best 8-round known-key distinguisher with a complexity of 230. Finally, this work amplifies the scope of the Yoyo technique as a generic cryptanalysis tool.