Abstract
The nonlinear invariant attack was introduced at ASIACRYPT 2016 by Todo et al.. The attack has received extensive attention of cryptographic community due to its practical application on the full-round block ciphers SCREAM, iSCREAM, and Midori64. However, the attack heavily relies on the choice of round constants and it becomes inefficient in the case these constants nonlinearly affect the so-called nonlinear invariants. In this article, to eliminate the impact from the round constants, a generalized nonlinear invariant attack which uses a pair of constants in the input of nonlinear invariants is proposed. The efficiency of this extended framework is practically confirmed by mounting a distinguishing attack on a variant of full-round iSCREAM cipher under a class of 280 weak keys. The considered variant of iSCREAM is however resistant against nonlinear invariant attack of Todo et al.. Furthermore, we investigate the resistance of block ciphers against generalized nonlinear invariant attacks with respect to the choice of round constants in an extended framework. We introduce a useful concept of closed-loop invariants of the substitution box (S-box) and show that the choice of robust round constants is closely related to the existence of linear structure of the closed-loop invariants of the substitution layer. In particular, we demonstrate that the design criteria for the round constants in Beierle et al.’s work at CRYPTO 2017 is not an optimal strategy. The round constants selected using this method may induce certain weaknesses that can be exploited in our generalized nonlinear invariant attack model. This scenario is efficiently demonstrated in the case of a slightly modified variant of the Midori64 block cipher.
Highlights
The design of block ciphers, used as symmetric key encryption algorithms, is well understood and their security has been traditionally evaluated using some standard cryptanalytic techniques such as differential attacks [BS90], linear attacks [Mat93], and their diverse variations [LH94] [HTW15]
The authentication encryption algorithm iSCREAM was proposed by Grosso et al [GLSV14b] and it uses a similar structure as SCREAM, the latter being a candidate of the CAESAR competition [CAE13]
The state x is unaffected in odd rounds since formally α is the all-zero vector. This slightly more complex procedure of deriving round constants may appear to be more secure but we demonstrate that one can efficiently mount generalized nonlinear invariant attacks, whereas the second rule above implies that the nonlinear invariants proposed by Todo et al in [TLS16] [TLS18] are nonlinearly affected by round constants so that their attack cannot be applied in this case
Summary
The design of block ciphers, used as symmetric key encryption algorithms, is well understood and their security has been traditionally evaluated using some standard cryptanalytic techniques such as differential attacks [BS90], linear attacks [Mat93], and their diverse variations [LH94] [HTW15]. In order to extend a nonlinear invariant of a single round to the whole cipher, it is necessary that all round keys belong to the family of weak keys Even though this assumption appears to be quite unrealistic, it was demonstrated in [TLS16] that certain recently proposed lightweight block ciphers have serious weaknesses in this context. Another important point is the fact that, apart from the assumption on weak keys, the success of this attack heavily relies on the choice of the round constants so that their proper selection can protect cipher against these attacks [BCLR17]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
