ABSTRACT. Correlation cube attacks were proposed by Liu et al. at EUROCRYPT 2018, which targeted a modern symmetric-key cryptosystem based on nonlinear feedback shift registers. The main idea of correlation cube attacks lies in recovering the secret key by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials called a basis. In this paper, we propose a new correlation cube attack based on the division property. The new attack expresses a given superpoly p as $fg\oplus h$ and calculates correlation probabilities for all possible f, where f only involves key variables. This novel idea breaks the restriction on the basis used in the original attack and provides more choices to find good correlation probabilities, thus making the correlation cube attack much more powerful. Besides, the first application of the division property to correlation cube attacks is given, which aided by MILP modeling techniques facilitates the search for desirable cubes. As illustrations, we apply the new correlation cube attack to Trivium. For 844-round Trivium, we can recover about 4-bit key information on average with the time complexity $2^{45}$, which could be fully verified by experiments. This is so far the best key recovery attack for 844-round Trivium.

ABSTRACT. A common structure in stream ciphers makes use of linear and nonlinear shift registers with a nonlinear output function drawing from both registers. We refer to these as Grain-like keystream generators. A recent development in lightweight ciphers is a modification of this structure to include a non-volatile key register, which allows key bits to be fed into the state update of the nonlinear register. Sprout and Plantlet are examples of this modified structure. The authors of these ciphers argue that including these key bits in the internal state update provides increased security, enabling the use of reduced register sizes below the commonly accepted rule of thumb that the state size should be at least twice the key size. In this paper, we analyse Plantlet and show that the security of this design depends entirely on the choice of the output function. Specifically, the contribution from the nonlinear register to the output function determines whether a key recovery attack is possible. We make a minor modification to Plantlet’s output function which allows the contents of the linear register to be recovered using an algebraic attack during keystream generation. This information then allows partial recovery of the contents of the nonlinear register, after which the key bits and the remaining register contents can be obtained using a guess and check approach, with a complexity significantly lower than exhaustive key search. Note that our attack is not successful on the existing version of Plantlet, though it only requires minor modifications to the filter function in order for the attack to succeed. However, our results clearly demonstrate that including the key in the state update during keystream generation does not increase the security of Plantlet. In fact, this feature was exploited to recover the key during keystream generation without the need to consider the initialisation process. This paper provides design guidelines for choosing both suitable output functions and the register stages used for inputs to these functions in order to resist the attacks we applied.

ABSTRACT. Quite a lot of block ciphers proposed in recent years are families of ciphers that conveniently support multiple block lengths and key lengths. The essential security requirements for a family of block ciphers are: (1) Each cipher instance from family is secure; (2) Cipher instances do not endanger each other's security, namely, by one or more cipher instances, other instances cannot be predicted. However, traditional cryptanalysis methods always assess the security of a special member of the family cipher, such as differential cryptanalysis, linear cryptanalysis, integral cryptanalysis. Related-cipher attacks focus on the security between cipher instances. This paper researches the security of Ballet-128 and ANT-128 against related-cipher attacks. Since their key schedules do not rely on the round number of encryption, we consider the related-cipher attack with equivalent keys by limiting the 256-bit key space. As a result, we recover the secret key of the full Ballet-128/128 with just one chosen plaintext pairs and one call of Ballet-128/128 and Ballet-128/256, which means Ballet-128 is insecure against related-cipher attack. For ANT-128, we show that there exist at most 6-round related-cipher distinguishers between ANT-128/128 and ANT-128/256, and launch a 9-round key-recovery attack on ANT-128/128 based on a 6-round related-cipher distinguisher with time complexity about $2^{60.9}$.

ABSTRACT. In this paper, a new variant of differential cryptanalysis is developed by applying the idea of the boomerang attack on the truncated differential. We call this variant a triangle differential cryptanalysis since it utilizes the difference of every pair in an input and output triple. Similar to the boomerang attack, the triangle differential cryptanalysis combines two independent truncated differential distinguishers of two parts of a cryptosystem into a distinguisher of the whole cryptosystem. It provides a new perspective on the differential propagation, and so it is possible to break the limit of the traditional truncated differential. An MILP modeling technique is also provided for the triangle differential distinguisher search against general SPN ciphers. To demonstrate the power of this new type of differential distinguishers, we apply it to SKINNY64 and CRAFT. For SKINNY64, an 11-round triangle differential distinguisher is obtained, while the previous longest truncated differential distinguisher is 10-round. For CRAFT, a 13-round triangle differential distinguisher is obtained, while the previous longest truncated differential distinguisher is 12-round. Besides, compared with the best distinguishers other than the truncated differential distinguishers, there are still some improvements on the probabilities for both SKINNY64 and CRAFT.

ABSTRACT. Authenticated Encryption (AE) achieves privacy and au- thenticity with a single scheme. It is possible to obtain an AE scheme gluing them together an encryption scheme (privacy secure) and a Mes- sage Authentication Code (authenticity secure). This approach is called a generic composition and its security has been studied by Namprempre et al. [NRS14]. They looked into all the possible gluings of an encryp- tion scheme with a secure MAC to obtain a nonce-based AE-scheme. The encryption scheme is either IV-based (that is, with an additional random input, the initialization vector [IV]) or nonce-based (with an input to be used once, the nonce). Nampremepre et al. assessed the se- curity/insecurity of all possible composition combinations except for 4 (N4, A10, A11 and A12). Berti et al. [BPP18a] showed that N4 is inse- cure and that the remaining modes (A10, A11, and A12) are either all secure or insecure. Here, we prove that these modes are all insecure with a counterexample.

ABSTRACT. Cryptographic hash functions are used inside many applications that critically rely on their resistance against cryptanalysis attacks and the correctness of their implementations. Nevertheless, vulnerabilities in cryptographic hash function implementations can remain unnoticed for more than a decade, as shown by the recent discovery of a buffer overflow in the implementation of SHA-3 in the eXtended Keccak Code Package (XKCP), impacting Python, PHP, and several other software projects. In this paper, we explore the application of formal methods to the five finalist submission packages to the NIST SHA-3 competition, allowing us to rediscover vulnerabilities in the implementations of Keccak and BLAKE, and discover a new vulnerability in the implementation of Grøstl. We also show how the same approach rediscovers a vulnerability affecting 11 out of the 12 implemented cryptographic hash functions in Apple's CoreCrypto library. Our approach consists of removing certain lines of code and then using KLEE as a tool to prove functional equivalence. We discuss the advantages and limitations of our approach and hope that our attempt to consolidate some earlier approaches can lead to new insights.

ABSTRACT. SPEEDY is a family of ultra-lightweight block ciphers designed by Leander et al. at TCHES 2021. There are three recommended variants denoted as SPEEDY-r-192 with r ∈ {5, 6, 7}. All of them support the 192-bit block and the 192-bit key. The main focus during its design is to ensure hardware-aware low latency, thus, whether it is designed to have enough security is worth to be studied. Recently, the full-round security of SPEEDY-7-192 is announced to be broken by Boura et al. at EUROCRYPT 2023 under the chosen-ciphertext setting, where a round-reduced attack on SPEEDY-6-192 is also proposed. However, no valid attack on SPEEDY-5-192 is given due to its more restricted security parameters. Up to now, the best key recovery attack on this variant only covers 3 rounds proposed by Rohit et al. at AFRICACRYPT 2022. In this paper, we give three full-round attacks on SPEEDY-7-192. Using the divide-and-conquer strategy and other new proposed techniques, we found a 5.5-round differential distinguisher which can be used to mount the first chosen-plaintext full-round key recovery attack. With a similar strategy, we also found a 5-round linear distinguisher which leads to the first full-round attack under the known-plaintext setting. Meanwhile, the 5.5-round differential distinguisher also helps us slightly improve the full-round attack in the chosen-ciphertext setting compared with the previous result. Besides, we also present a 4-round differential attack on SPEEDY-5-192, which is the best attack on this variant in terms of the number of rounds so far. A faster key recovery attack covering the same rounds is also given using a differential-linear distinguisher. Both attacks cannot threaten its full-round security.

ABSTRACT. Compiler provenance is significant in investigating the source-level indicators of binary code, like development-environment, source compiler, and optimization settings. Not only does compiler provenance analysis have important security applications in malware and vulnerability analysis, but it is also very challenging to extract useful artifacts from binary when high-level language constructs are missing. Previous works applied machine-learning techniques to predict the source compiler of binaries. However, most of the work is done on the binaries compiled on Linux operating system. We highlight the importance and need to explore Windows compilers and the complicated binaries compiled on the latest versions of these compilers. Therefore, we construct a large dataset of real-world binaries compiled with four major compilers on Windows and four most common optimization settings. The complexity of the optimized program leads us to identify specific patterns in the binaries that contribute to source compiler and specific optimization level. To address these observations, we propose an improved model based upon the state-of-the-art,~\oglassesX, and incorporate streamlined alignment padding features in the existing model. Thus, our improved model learns alignment instructions from binary code of portable executables and libraries using the attention mechanism. We conduct an extensive experimentation on a dataset of 296,169 unique and complex binary code generated from C/C++ applications. We show that our improved model surpasses state-of-the-art by a large margin in predicting source compiler and optimization flag of complex compiled code.

ABSTRACT. Encryption protects internet users’ data security and privacy but makes network traffic classification a much harder problem. Network traffic classification is essential for identifying and predicting user behavior which is important for the overall task of network management. Deep learning methods used to tackle this problem have produced promising results. However, the conditions on which these experiments are carried out raise questions about their effectiveness when applied in the real world. We tackle this problem by modelling network traffic as graphs and applying deep learning for classification. We design a graph classifier based on higher order graph neural network with the aim of optimum generalization. To demonstrate the robustness of our model, we cross validate it on the ISCXVPN and USTC-TFC datasets with varying input specifications. We use our model to demonstrate the impact of network data truncation on traffic classification and define benchmarks for input specifications. Our best results outperform the state-of-the-art in terms of generalization strength.