Paper 2021/1572

Integral Attacks on Pyjamask-96 and Round-Reduced Pyjamask-128 (Full version)

Jiamin Cui, Kai Hu, Qingju Wang, and Meiqin Wang


In order to provide benefits in the areas of fully homomorphic encryption (FHE), multi-party computation (MPC), post-quantum signature schemes, or efficient masked implementations for side-channel resistance, reducing the number of multiplications has become a quite popular trend for the symmetric cryptographic primitive designs. With an aggressive design strategy exploiting the extremely simple and low-degree S-box and low number of rounds, Pyjamask, the fundamental block cipher of the AEAD with the same name, has the smallest number of AND gates per bit among all the existing block ciphers (except LowMC or Rasta which work on unconventional plaintext/key sizes). Thus, although the AEAD Pyjamask stuck at the second round of the NIST lightweight cryptography standardization process, the block cipher Pyjamask itself still attracts a lot of attention. Not very unexpectedly, the low degree and the low number of rounds are the biggest weakness of Pyjamask. At FSE 2020, Dobraunig et al. successfully mounted an algebraic and higher-order differential attack on full Pyjamask-96, one member of the Pyjamask block cipher family. However, the drawback of this attack is that it has to use the full codebook, which makes the attack less appealing. In this paper, we take integral attacks as our weapon, which are also sensitive to the low degree. Based on a new 11-round integral distinguisher found by state-of-the-art detection techniques, and combined with the relationship between round keys that reduces the involved keys, we give the key recovery attack on the full Pyjamask-96 without the full codebook for the first time. Further, the algebraic and higher-order differential technique does not work for Pyjamask-128, the other member of the Pyjamask block cipher family. To better understand the security margin of Pyjamask-128, we present the first third-party cryptanalysis on Pyjamask-128 up to 11 out of 14 rounds.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MAJOR revision.CT-RSA 2022
PyjamaskLightweight cipherIntegral AttackDivision PropertyMonomial Prediction
Contact author(s)
cuijiamin @ mail sdu edu cn
hukai @ mail sdu edu cn
mqwang @ sdu edu cn
qingju wang @ uni lu
2022-03-04: last of 2 revisions
2021-12-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jiamin Cui and Kai Hu and Qingju Wang and Meiqin Wang},
      title = {Integral Attacks on Pyjamask-96 and Round-Reduced Pyjamask-128 (Full version)},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1572},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.