Abstract
CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.
Highlights
The spectrum of applications of cryptographic algorithms for securing data and communication is becoming increasingly complex due to our ever-developing information society, where electronic computing devices are pervasive
Following the constraint-based (MILP [MWGP11, SHW+14b, ST17], SMT/SAT [KLT15], and CP [GMS16, SGL+17]) methodology for automatic symmetric-key cryptanalysis, we extract the essential rules governing the propagation of the input difference with the invariant property taking into account, convert them into constraints expressed in linear inequalities, and build an MILP model to search for distinguishers of CRAFT automatically
With the aid of MILP-based automatic tools, we identify a 15-round truncated differential distinguisher of CRAFT with probability 2−54, which can be extended to a 19-round key-recovery attack
Summary
The spectrum of applications of cryptographic algorithms for securing data and communication is becoming increasingly complex due to our ever-developing information society, where electronic computing devices are pervasive. Besides the self-evaluation provided by the designers [BLMR19], there are several papers considering the security of round-reduced CRAFT with respect to single-key or related-key differential attacks [MA19, HSN+19, EY19], and zero-correlation linear attacks [HSN+19] It seems that these attacks are quite general and do not make full use of the peculiarities of CRAFT (the involutory S-box, the order of the building blocks in the round function, and the addition of round tweakeys). Perhaps the most interesting and best work that exploits the special properties of CRAFT is the recent work published at FSE 2020 [HSN+19], where a 14-round related-tweak zero-correlation distinguisher for CRAFT is identified (see Table 1) This distinguisher is found based on the method presented at FSE 2019 [ADG+19], which relies on the linearity of the tweakey schedule algorithm.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
