Abstract
Design of SP networks in which the non-linear layer is applied to only
a part of the state in each round was suggested by Gérard et al.~at CHES 2013.
Besides performance advantage on certain platforms, such a
design allows for more efficient masking techniques that
can mitigate side-channel attacks with a small performance overhead.
In this paper we present generic techniques for differential and linear
cryptanalysis of SP networks with partial non-linear layers, including
an automated characteristic search tool and dedicated key-recovery
algorithms. Our techniques can be used both for cryptanalysis of such
schemes and for proving their security with respect to basic differential and
linear cryptanalysis, succeeding where previous automated analysis tools seem to fail.
We first apply our techniques to the block cipher Zorro (designed by Gérard et
al.~following their methodology), obtaining practical attacks on the cipher which where fully simulated
on a single desktop PC in a few days. Then, we propose a mild change to Zorro, and
formally prove its security against basic differential and linear cryptanalysis.
We conclude that there is no inherent flaw in the design strategy of Gérard et al.,
and it can be used in future designs, where our tools should prove useful.
a part of the state in each round was suggested by Gérard et al.~at CHES 2013.
Besides performance advantage on certain platforms, such a
design allows for more efficient masking techniques that
can mitigate side-channel attacks with a small performance overhead.
In this paper we present generic techniques for differential and linear
cryptanalysis of SP networks with partial non-linear layers, including
an automated characteristic search tool and dedicated key-recovery
algorithms. Our techniques can be used both for cryptanalysis of such
schemes and for proving their security with respect to basic differential and
linear cryptanalysis, succeeding where previous automated analysis tools seem to fail.
We first apply our techniques to the block cipher Zorro (designed by Gérard et
al.~following their methodology), obtaining practical attacks on the cipher which where fully simulated
on a single desktop PC in a few days. Then, we propose a mild change to Zorro, and
formally prove its security against basic differential and linear cryptanalysis.
We conclude that there is no inherent flaw in the design strategy of Gérard et al.,
and it can be used in future designs, where our tools should prove useful.
Original language | English |
---|---|
Publisher | Cryptology ePrint Archive |
Number of pages | 228 |
Volume | 2014/228 |
State | Published - 2014 |