Cryptology ePrint Archive: Report 2019/714

Generalized Related-Key Rectangle Attacks on Block Ciphers with Linear Key Schedule: Applications to SKINNY and GIFT

Boxin Zhao and Xiaoyang Dong and Willi Meier and Keting Jia and Gaoli Wang

Abstract: This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST.

For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from $2^{331}$ to $2^{294}$. In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity $2^{91.58}$, while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Category / Keywords: secret-key cryptography / Key Recovery, Rectangle Attack, SKINNY, GIFT, Related-Key

Original Publication (with major differences): Designs, Codes and Cryptography

Date: received 17 Jun 2019, last revised 16 Mar 2020

Contact author: xiaoyangdong at tsinghua edu cn, boxinzhao at mail sdu edu cn, willi meier at fhnw ch, ktjia at tsinghua edu cn, glwang at sei ecnu edu cn

Available format(s): PDF | BibTeX Citation

Note: 1, Add an open problem in the conclusion section: For LOTUS-AEAD and LOCUS-AEAD \cite{LOTUS}, a Round 2 candidate of the NIST LWC, the designers state that ``the keys are computed by a predictable way in the mode and used with a fixed tweak. This implies that related-key security of TweGIFT-64 matters in the related-key security of the entire construction''. Hence, it is relevant to study GIFT-64 against related-key attack. The attacks in our paper do not cover the concrete impact on LOTUS-AEAD and LOCUS-AEAD. We would like to leave it as an open problem. 2, Remove the cryptanalysis on SKINNY-AEAD, due to error found by Sasaki at lwc-forum:!topic/lwc-forum/kCNjP0q64Bo.

Version: 20200317:035249 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]