Cryptology ePrint Archive: Report 2021/1572

Integral Attacks on Pyjamask-96 and Round-Reduced Pyjamask-128 (Full version)

Jiamin Cui and Kai Hu and Qingju Wang and Meiqin Wang

Abstract: In order to provide benefits in the areas of fully homomorphic encryption (FHE), multi-party computation (MPC), post-quantum signature schemes, or efficient masked implementations for side-channel resistance, reducing the number of multiplications has become a quite popular trend for the symmetric cryptographic primitive designs. With an aggressive design strategy exploiting the extremely simple and low-degree S-box and low number of rounds, Pyjamask, the fundamental block cipher of the AEAD with the same name, has the smallest number of AND gates per bit among all the existing block ciphers (except LowMC or Rasta which work on unconventional plaintext/key sizes). Thus, although the AEAD Pyjamask stuck at the second round of the NIST lightweight cryptography standardization process, the block cipher Pyjamask itself still attracts a lot of attention. Not very unexpectedly, the low degree and the low number of rounds are the biggest weakness of Pyjamask. At FSE 2020, Dobraunig et al. successfully mounted an algebraic and higher-order differential attack on full Pyjamask-96, one member of the Pyjamask block cipher family. However, the drawback of this attack is that it has to use the full codebook, which makes the attack less appealing. In this paper, we take integral attacks as our weapon, which are also sensitive to the low degree. Based on a new 11-round integral distinguisher found by state-of-the-art detection techniques, and combined with the relationship between round keys that reduces the involved keys, we give the key recovery attack on the full Pyjamask-96 without the full codebook for the first time. Further, the algebraic and higher-order differential technique does not work for Pyjamask-128, the other member of the Pyjamask block cipher family. To better understand the security margin of Pyjamask-128, we present the first third-party cryptanalysis on Pyjamask-128 up to 11 out of 14 rounds.

Category / Keywords: secret-key cryptography / Pyjamask, Lightweight cipher, Integral Attack, Division Property, Monomial Prediction

Original Publication (with major differences): CT-RSA 2022

Date: received 1 Dec 2021, last revised 4 Mar 2022

Contact author: cuijiamin at mail sdu edu cn, hukai at mail sdu edu cn, mqwang at sdu edu cn, qingju wang at uni lu

Available format(s): PDF | BibTeX Citation

Version: 20220304:025403 (All versions of this report)

Short URL: ia.cr/2021/1572


[ Cryptology ePrint archive ]