Practical Attacks on Reduced-Round 3D and Saturnin

Abstract

Abstract 3D, an advanced encryption standard-like cipher employed three-dimensional structure, was proposed in 2008. Its recommended number of rounds is 22. Although the longest key recovery attack can currently reach 13 rounds, the complexity of existing attacks for >6 rounds seems to exceed the practically feasible complexity. Thus, a practical attack for 7-round 3D has yet to be developed. Recently, a lightweight block cipher called Saturnin has been selected as a second-round candidate in the National Institute of Standards and Technology standardization for lightweight cryptography. Saturnin also employs a three-dimensional structure and provides high security against quantum and classic attacks. In this paper, we investigate the yoyo attack on these two ciphers. Combined with the meet-in-the-middle technique, we apply the yoyo trick to 7-round 3D and recover the whole 512-bit secret key with $2^{15}$ plaintexts and adaptively chosen ciphertexts and $2^{16.5}$ complexity of full encryptions. To our best knowledge, it is the first practical key recovery attack for 7-round 3D to date. For Saturnin, we found a minor typo in its design report. The designers intended to make a super round containing two S-layers, but one was inadvertently omitted in the algorithm description. We propose a 5-super-round key recovery attack, which is suitable for both one-S-layer version and two-S-layer version. Since the round function of Saturnin has better diffusion, which leads that the meet-in-the-middle technique cannot be applied to this cipher directly. For the one-S-layer version, we address this problem by proposing a new technique called reducing key sets. This technique will fail on the other version, which proves the necessity of containing two S-layers in one-super-round. Finally, our attack requires $2^{39.1}$ plaintext pairs and adaptively chosen ciphertext pairs and $2^{46}$ one-round encryptions.