TY - UNPB
T1 - Decomposing the ASASA Block Cipher Construction. IACR Cryptology ePrint Archive
AU - Dinur, Itai
AU - Dunkelman, Orr
AU - Kranz, Thorsten
AU - Le, Gregor
PY - 2015
Y1 - 2015
N2 - We consider the problem of recovering the internal specifi-cation of a general SP-network consisting of three linear layers (A) in-terleaved with two Sbox layers (S) (denoted by ASASA for short), given only black-box access to the scheme. The decomposition of such general ASASA schemes was first considered at ASIACRYPT 2014 by Biryukov et al. which used the alleged difficulty of this problem to propose several concrete block cipher designs as candidates for white-box cryptography. In this paper, we present several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. As a result, we are able to break all the proposed concrete ASASA constructions with practical complexity. For example, we can decompose an ASASA structure that was supposed to provide 64-bit security in roughly 228 steps, and break the scheme that supposedly provides 128-bit security in about 241 time. Whenever possible, our findings are backed up with experimental verifications
AB - We consider the problem of recovering the internal specifi-cation of a general SP-network consisting of three linear layers (A) in-terleaved with two Sbox layers (S) (denoted by ASASA for short), given only black-box access to the scheme. The decomposition of such general ASASA schemes was first considered at ASIACRYPT 2014 by Biryukov et al. which used the alleged difficulty of this problem to propose several concrete block cipher designs as candidates for white-box cryptography. In this paper, we present several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. As a result, we are able to break all the proposed concrete ASASA constructions with practical complexity. For example, we can decompose an ASASA structure that was supposed to provide 64-bit security in roughly 228 steps, and break the scheme that supposedly provides 128-bit security in about 241 time. Whenever possible, our findings are backed up with experimental verifications
KW - Block cipher
KW - ASASA
KW - white-box cryptography
KW - integral crypt- analysis
KW - differential cryptanalysis
M3 - נייר עבודה
BT - Decomposing the ASASA Block Cipher Construction. IACR Cryptology ePrint Archive
ER -