Cryptology ePrint Archive: Report 2016/1161

Impossible Differential Attack on Simpira v2

Rui Zong and Xiaoyang Dong and Xiaoyun Wang

Abstract: Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016 which can be used to construct high throughput block ciphers using the Even-Mansour construction, permutation-based hashing and wide-block authenticated encryption. In this paper, we give a 9-round impossible differential of Simpira-4, which turns out to be the first 9-round impossible differential. In order to get some efficient key recovery attacks on its block cipher mode (EM construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight different 6-round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode, each 6-round impossible differential helps to recover 32-bit of the master key (512-bit) and totally half of the master key bits are recovered. The attacks need $2^{57}$ chosen plaintexts and $2^{57}$ 7-round encryptions. Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode, which recover the full key space (512-bit) with the data complexity of $2^{170}$ chosen plaintexts and time complexity of $2^{170}$ 8-round encryptions. Those are the first attacks on round-reduced Simpira v2 and do not threaten the EM mode with the full 15-round Simpira-4.

Category / Keywords: secret-key cryptography / Simpira-4, impossible differential attack, Super S-box, the Even-Mansour construction, security claim

Date: received 18 Dec 2016

Contact author: dongxiaoyang at mail sdu edu cn

Available format(s): PDF | BibTeX Citation

Version: 20161228:140441 (All versions of this report)

Short URL: ia.cr/2016/1161

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]