Paper 2018/859
Cryptanalysis of Low-Data Instances of Full LowMCv2
Christian Rechberger, Hadi Soleimany, and Tyge Tiessen
Abstract
LowMC is a family of block ciphers designed for a low multiplicative complexity. The specification allows a large variety of instantiations, differing in block size, key size, number of S-boxes applied per round and allowed data complexity. The number of rounds deemed secure is determined by evaluating a number of attack vectors and taking the number of rounds still secure against the best of these. In this paper, we demonstrate that the attacks considered by the designers of LowMC in the version 2 of the round-formular were not sufficient to fend off all possible attacks. In the case of instantiations of LowMC with one of the most useful settings, namely with few applied S-boxes per round and only low allowable data complexities, efficient attacks based on difference enumeration techniques can be constructed. We show that it is most effective to consider tuples of differences instead of simple differences, both to increase the range of the distinguishers and to enable key recovery attacks. All applications for LowMC we are aware of, including signature schemes like Picnic and more recent (ring/group) signature schemes have used version 3 of the round formular for LowMC, which takes our attack already into account.
Metadata
- Available format(s)
-
PDF
- Publication info
- Published by the IACR in FSE 2019
- Keywords
- secret-key cryptography
- Contact author(s)
- h_soleimany @ sbu ac ir
- History
- 2018-09-23: revised
- 2018-09-22: received
- See all versions
- Short URL
- https://ia.cr/2018/859
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/859,
author = {Christian Rechberger and Hadi Soleimany and Tyge Tiessen},
title = {Cryptanalysis of Low-Data Instances of Full {LowMCv2}},
howpublished = {Cryptology {ePrint} Archive, Paper 2018/859},
year = {2018},
url = {https://eprint.iacr.org/2018/859}
}
