Abstract
LowMC is a family of block ciphers designed for a low multiplicative complexity. The specification allows a large variety of instantiations, differing in block size, key size, number of S-boxes applied per round and allowed data complexity. The number of rounds deemed secure is determined by evaluating a number of attack vectors and taking the number of rounds still secure against the best of these. In this paper, we demonstrate that the attacks considered by the designers of LowMC in the version 2 of the round-formular were not sufficient to fend off all possible attacks. In the case of instantiations of LowMC with one of the most useful settings, namely with few applied S-boxes per round and only low allowable data complexities, efficient attacks based on difference enumeration techniques can be constructed. We show that it is most effective to consider tuples of differences instead of simple differences, both to increase the range of the distinguishers and to enable key recovery attacks. All applications for LowMC we are aware of, including signature schemes like Picnic and more recent (ring/group) signature schemes have used version 3 of the roundformular for LowMC, which takes our attack already into account.
Highlights
The security of block ciphers, one of the most versatile cryptographic primitives, is commonly believed to be well understood
Novel use-cases require new designs and new cryptanalysis. Such use-cases include amongst others masking of block ciphers to thwart side-channel attacks, usage in secure multi-party computation (MPC) or fully homomorphic encryption (FHE), SNARKs, and very recently block ciphers designed for use in quantum-secure public-key signature schemes
In this paper we provided new insight into the security of LowMCv2
Summary
The security of block ciphers, one of the most versatile cryptographic primitives, is commonly believed to be well understood. We provide new insight into the security of LowMC by demonstrating distinguishing and key-recovery attacks based on the enumeration of differences that are able to break full-round versions of LowMCv2 These attacks are based on finding collisions in the sets of reachable differences coming from both ends of the cipher. Such a corner of the parameter space is especially relevant for newly proposed public-key signature schemes based on NIZK proofs that need as the only cryptographic assumption the security of a one-way function (OWF) or a pseudo-random function (PRF), rather than on other more structured mathematical assumptions.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
