**More Rounds, Less Security?**

*Jian Guo and Jérémy Jean and Nicky Mouha and Ivica Nikolić*

**Abstract: **This paper focuses on a surprising class of cryptanalysis results for symmetric-key primitives: when the number of rounds of the primitive is increased, the complexity of the cryptanalysis result decreases. Our primary target will be primitives that consist of identical round functions, such as PBKDF1, the Unix password hashing algorithm, and the Chaskey MAC function. However, some of our results also apply to constructions with non-identical rounds, such as the PRIDE block cipher. First, we construct distinguishers for which the data complexity decreases when the number of rounds is increased. They are based on two well-known observations: iterating a random permutation increases the expected number of fixed points, and iterating a random function decreases the expected number of image points. We explain that these effects also apply to components of cryptographic primitives, such as a round of a block cipher. Second, we introduce a class of key-recovery and preimage-finding techniques that correspond to exhaustive search, however on a smaller part (e.g. one round) of the primitive. As the time complexity of a cryptanalysis result is usually measured by the number of full-round evaluations of the primitive, increasing the number of rounds will lower the time complexity. None of the observations in this paper result in more than a small speed-up over exhaustive search. Therefore, for lightweight applications, implementation advantages may outweigh the presence of these observations.

**Category / Keywords: **secret-key cryptography / Iterated cipher, fixed points, slide attack, PRIDE, Chaskey, PKCS, PBKDF1, Unix password hashing algorithm, Even-Mansour, FX-construction.

**Date: **received 21 May 2015, last revised 2 Jun 2016

**Contact author: **nicky at mouha be

**Available format(s): **PDF | BibTeX Citation

**Version: **20160602:124909 (All versions of this report)

**Short URL: **ia.cr/2015/484

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]