Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem

Research output: Contribution to journalArticlepeer-review

1 Scopus citations

Abstract

The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a κ-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions F, G: { 0 , 1 } n→ { 0 , 1 } n, and the goal is to determine whether there exist invertible affine transformations A1, A2 over GF(2) n such that G= A2∘ F∘ A1.

Original languageEnglish
Pages (from-to)874-909
Number of pages36
JournalJournal of Cryptology
Volume33
Issue number3
DOIs
StatePublished - 1 Jul 2020

Keywords

  • Affine equivalence problem
  • Block cipher
  • Cryptanalysis
  • DESX
  • FX-construction
  • MANTIS
  • PRIDE
  • PRINCE
  • Time–memory–data trade-off

Fingerprint

Dive into the research topics of 'Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem'. Together they form a unique fingerprint.

Cite this