Speeding up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations

Zhongfeng Niu; Kai Hu; Siwei Sun; Zhiyu Zhang; Meiqin Wang

Paper 2024/857

Speeding up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations

Zhongfeng Niu, University of Chinese Academy of Sciences

Kai Hu, Shandong University

Siwei Sun, University of Chinese Academy of Sciences

Zhiyu Zhang, University of Chinese Academy of Sciences

Meiqin Wang, Shandong University

Abstract

We present a framework for speeding up the search for preimages of candidate one-way functions based on highly biased differential-linear distinguishers. It is naturally applicable to preimage attacks on hash functions. Further, a variant of this framework applied to keyed functions leads to accelerated key-recovery attacks. Interestingly, our technique is able to exploit related-key differential-linear distinguishers in the single-key model without querying the target encryption oracle with unknown but related keys. This is in essence similar to how we speed up the key search based on the well known complementation property of DES, which calls for caution from the designers in building primitives meant to be secure in the single-key setting without a thorough cryptanalysis in the related-key model. We apply the method to sponge-based hash function Ascon-HASH, XOFs XOEsch/Ascon-XOF and AEAD Schwaemm, etc. Accelerated preimage or key-recovery attacks are obtained. Note that all the differential-linear distinguishers employed in this work are highly biased and thus can be experimentally verified.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: A minor revision of an IACR publication in CRYPTO 2024
Keywords: Differential-linear Preimage attack Key-recovery attack Sponge function Hash function AEAD
Contact author(s): niuzhongfeng @ ucas ac cn
kai hu @ sdu edu cn
sunsiwei @ ucas ac cn
zhangzhiyu14 @ mails ucas ac cn
mqwang @ sdu edu cn
History: 2024-05-31: approved; 2024-05-31: received; See all versions
Short URL: https://ia.cr/2024/857
License: CC BY

BibTeX

@misc{cryptoeprint:2024/857,
      author = {Zhongfeng Niu and Kai Hu and Siwei Sun and Zhiyu Zhang and Meiqin Wang},
      title = {Speeding up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/857},
      year = {2024},
      url = {https://eprint.iacr.org/2024/857}
}