Abstract
Grassi et al. [Gra+16] introduced subspace trail cryptanalysis as a generalization of invariant subspaces and used it to give the first five round distinguisher for Aes. While it is a generic method, up to now it was only applied to the Aes and Prince. One problem for a broad adoption of the attack is a missing generic analysis algorithm. In this work we provide efficient and generic algorithms that allow to compute the provably best subspace trails for any substitution permutation cipher.
Highlights
Despite good progress in the last decades, especially within the Aes competition and more recently within the area of lightweight cryptography, some fundamental questions of the design and analysis of block ciphers still remain open. Several of those fundamental questions can be found in the area of differential cryptanalysis and its variants
If the S-box used in the cipher does not have any linear structures, we can prove that the approach sketched above, that is to ignore the details of the S-box and to only consider the case where U0 activates a single S-box, always results in the strongest subspace trail
Besides the subspace trail on Aes [GRR17], subspace trail cryptanalysis has been applied to Prince in [GR16]
Summary
Despite good progress in the last decades, especially within the Aes competition and more recently within the area of lightweight cryptography, some fundamental questions of the design and analysis of block ciphers (or hash-functions or cryptographic permutations) still remain open. Any progress here would significantly improve our understanding of block ciphers Another example of a related area for which a strict analysis without simplifying heuristics is still missing is the topic of truncated differentials. For SPN ciphers, where each round function consists of a layer of parallel S-boxes followed by a linear mapping, the two most common ones are to ignore the details of the S-box and to restrict to the cases where U0 only activates one S-box. While intuitively this approach seems to cover the best subspace trails, it seems hard to exclude the existence of better subspace trails outside those special cases. One important question raised is, if those results on Aes could be improved by taking the specific structure of the Aes S-box into account
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
