×

Related-key attack on full-round PICARO. (English) Zbl 1396.94065

Dunkelman, Orr (ed.) et al., Selected areas in cryptography – SAC 2015. 22nd international conference, Sackville, NB, Canada, August 12–14, 2015. Revised selected papers. Cham: Springer (ISBN 978-3-319-31300-9/pbk; 978-3-319-31301-6/ebook). Lecture Notes in Computer Science 9566, 86-101 (2016).
Summary: Side-channel cryptanalysis is a very efficient class of attacks that recover secret information by exploiting the physical leakage of a device executing a cryptographic computation. To address this type of attacks, many countermeasures have been proposed, and some papers addressed the question of constructing an efficient masking scheme for existing ciphers. In their work, G. Piret, T. Roche and C. Carlet took the problem the other way around and specifically designed a cipher that would be easy to mask. Their careful analysis, that started with the design of an adapted Sbox, leads to the construction of a 12-round Feistel cipher named PICARO. In this paper, we present the first full-round cryptanalysis of this cipher and show how to recover the key in the related-key model. Our analysis takes advantage of the low diffusion of the key schedule together with the non-bijectivity of PICARO Sbox. Our best trade-off has a time complexity equivalent to \(2^{107.4}\) encryptions, a data complexity of \(2^{99}\) plaintexts and requires to store \(2^{17}\) (plaintext, ciphertext) pairs.
For the entire collection see [Zbl 1334.94025].

MSC:

94A60 Cryptography

Software:

PICARO; McEliece
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology 7(4), 229–246 (1994) · Zbl 0812.94012 · doi:10.1007/BF00203965
[2] Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. J. Cryptology 4(1), 3–72 (1991) · Zbl 0729.68017 · doi:10.1007/BF00630563
[3] Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999) · Zbl 0942.94020 · doi:10.1007/3-540-48519-8_18
[4] Canteaut, A., Chabaud, F.: A New algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998) · Zbl 1053.94558 · doi:10.1109/18.651067
[5] Carlet, C.: Relating Three Nonlinearity Parameters of Vectorial Functions and Building APN Functions from Bent Functions. Des. Codes Crypt. 59(1–3), 89–109 (2011) · Zbl 1229.94041 · doi:10.1007/s10623-010-9468-7
[6] Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block Ciphers That Are Easier to Mask: How Far Can We Go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013) · Zbl 1353.94048 · doi:10.1007/978-3-642-40349-1_22
[7] Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015) · Zbl 1382.94111 · doi:10.1007/978-3-662-46706-0_2
[8] Piret, G., Roche, T., Carlet, C.: PICARO – A Block Cipher Allowing Efficient Higher-Order Side-Channel Resistance. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 311–328. Springer, Heidelberg (2012) · Zbl 06080340 · doi:10.1007/978-3-642-31284-7_19
[9] Piret, G., Roche, T., Carlet, C.: PICARO - A Block Cipher Allowing Efficient Higher-Order Side-Channel Resistance, extended version, IACR Cryptology ePrint Archive 2012, 358 (2012). http://eprint.iacr.org/2012/358
[10] Rivain, M., Prouff, E.: Provably Secure Higher-Order Masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010) · Zbl 1321.94087 · doi:10.1007/978-3-642-15031-9_28
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.