Abstract
Limited birthday distinguishers (LBDs) are widely used tools for the cryptanalysis of cryptographic permutations. In this paper we propose LBDs on several variants of the sLiSCP permutation family that are building blocks of two round 2 candidates of the NIST lightweight standardization process: Spix and SpoC. We improve the number of steps with respect to the previously known best results, that used rebound attack. We improve the techniques used for solving the middle part, called inbound, and we relax the external conditions in order to extend the previous attacks. The lower bound of the complexity of LBDs has been proved only against functions. In this paper, we prove for the first time the bound against permutations, which shows that the known upper bounds are tight.
Highlights
Lightweight cryptography aims at providing an efficient cryptographic primitive on highlyconstrained devices such as sensor networks, distributed control systems, the Internet of Things, and so on
We provide the cryptanalysis for sLiSCP [ARH+17] and sLiSCP-light permutations [ARH+18]. sLiSCP is a cryptographic permutation based on Simeck [YZS+15]. sLiSCP was designed to be used in their sponge hash function and duplex authenticated encryption with associated data (AEAD) mode. sLiSCP consists of 18 iterations of the step function that adopts a 4-branch type-2 generalized Feistel network (GFN) in which the size of each branch w is w ∈ {48, 64}
When P is a random permutation, to solve the limited-birthday problem with a probability greater than ps, 2n queries to P or P −1 are required4. This theorem strengthens the rationale of validity of various Limited birthday distinguishers (LBDs) including those in previous works such as [GP10], and our attacks on sLiSCP and sLiSCP-light (The complexities of all of our new attacks are smaller than the lower bound for a random permutation in [2])
Summary
Lightweight cryptography aims at providing an efficient cryptographic primitive on highlyconstrained devices such as sensor networks, distributed control systems, the Internet of Things, and so on. For sLiSCP-light, the designers of Spix and SpoC argued that the best known distinguisher is a zero-sum distinguisher with a start-from-the-middle approach, which works up to 14 steps but requires data and time complexities equal to that of the exhaustive search. We for the first time give a formal proof that [1] is the (asymptotically) tight bound to solve the limited-birthday problem on a random permutation. 2ps queries to P or P −1 are required4 This theorem strengthens the rationale of validity of various LBDs including those in previous works such as [GP10], and our attacks on sLiSCP and sLiSCP-light (The complexities of all of our new attacks are smaller than the lower bound for a random permutation in [2]).
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call