Abstract
Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.
Highlights
Reducing the number of multiplications within cryptographic primitives is a quite recent trend that was initiated by LowMC [ARS+15], which lead to many interesting design approaches like FLIP [MJSC16], Kreyvium [CCF+18], MiMC [AGR+16], or Rasta [DEG+18]
Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96 been published that took advantage of this, like, e.g., analysis that exploits the low algebraic degree of the functions [DEM15, DLMW15], the sparsity of nonlinear elements per encryption round [RST18], or other structural properties inherited from the quest to reduce the number of multiplications [DLR16]
As the number of monomials in the algebraic normal form of one specific bit after 2.5 rounds is the critical point of our cryptanalysis, we evaluate it carefully in the following subsections
Summary
Reducing the number of multiplications within cryptographic primitives is a quite recent trend that was initiated by LowMC [ARS+15], which lead to many interesting design approaches like FLIP [MJSC16], Kreyvium [CCF+18], MiMC [AGR+16], or Rasta [DEG+18]. The quest on reducing the number of multiplications has motivated cryptanalysts to look at these newly proposed constructions This is because the nonlinear elements in ciphers provide the necessary confusion part in the confusion and diffusion duality [Sha49] that most of the modern designs still follow. Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96 been published that took advantage of this, like, e.g., analysis that exploits the low algebraic degree of the functions [DEM15, DLMW15], the sparsity of nonlinear elements per encryption round [RST18], or other structural properties inherited from the quest to reduce the number of multiplications [DLR16]. We want to emphasize that our attacks just focus on the block cipher Pyjamask-96 and that especially the attacks on the higher number of rounds do not apply when Pyjamask-96 is used in the context of the authenticated encryption scheme Pyjamask, partially due to the high data complexity.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
