Mohamed Tolba

Meet-in-the-Middle Attacks on Round-Reduced Khudra

Khudra is a hardware-oriented lightweight block cipher that is designed to run efficiently on Field Programmable Gate Arrays. It employs an 18-rounds Generalized type-2 Feistel Structure with a 64-bit block length and an 80-bit key. In this paper, we present Meet-in-the-Middle MitM attacks on 13 and 14 round-reduced Khudra. These attacks are based on finding a distinguisher that is evaluated offline independently of the key. Then in an online phase, some rounds are appended before and after the distinguisher and the correct key candidates for these rounds are checked whether they verify the distinguisher property or not. Using this technique, we find two 6-round distinguishers and use them to attack 13 and 14 rounds of Khudra with time complexity of 266.11 and 266.19, respectively. Both attacks require the same data and memory complexities of 251 chosen plaintexts and 264.8 64-bit blocks, respectively.

Impossible Differential Cryptanalysis of Reduced-Round SKINNY

SKINNY is a new lightweight tweakable block cipher family proposed by Beierle et al. at CRYPTO 2016. SKINNY has 6 main variants where SKINNY-n-t is a block cipher that operates on n-bit blocks using t-bit tweakey (key and tweak) where \(n=64\) or 128 and \(t=n\), 2n, or 3n. In this paper, we present impossible differential attacks against reduced-round versions of all the 6 members of the SKINNY family in the single-tweakey model. More precisely, using an 11-round impossible differential distinguisher, we present impossible differential attacks against 18-round SKINNY-n-n, 20-round SKINNY-n-2n and 22-round SKINNY-n-3n (\(n=64\) or 128). To the best of our knowledge, these are the best attacks against these 6 variants in the single-tweakey model.

Generalized MitM attacks on full TWINE

TWINE is a lightweight block cipher which employs a generalized Feistel structure with 16 nibble-blocks. It has two versions: TWINE-80 and TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we propose a low data complexity key recovery attack on the full cipher. This attack is inspired by the 3-subset Meet-in-the-Middle (MitM) attack. However, in our attack, we remove the restrictions of the 3-subset MitM by allowing the key to be partitioned into n ? 3 subsets and by not restricting these subsets to be independent. To improve the computational complexity of the attack, we adopt a recomputation strategy similar to the one used in the original biclique attack. Adopting this approach, we present a known plaintext key recovery attack on TWINE-80 and TWINE-128 with time complexities of 278.74 and 2126.1, respectively. Both attacks require only two plaintext-ciphertext pairs. Furthermore, by combining our technique with a splice-and-cut approach, we gain a slight improvement in the time complexity of the attack at the expense of increasing the number of required plaintext-ciphertext pairs. Presented a generalized Meet-in-the-Middle attack.The key is partitioned into n ? 3 subsets, which are not necessarily independent.Showed how to combine the attack with a splice-and-cut approach.Applied the attack to TWINE-80 and TWINE-128.

Meet-in-the-Middle Attacks on Reduced-Round Hierocrypt-3

Hierocrypt-3 is an SPN-based block cipher designed by Toshiba Corporation. It operates on 128-bit state using either 128, 192 or 256-bit key. In this paper, we present two meet-in-the-middle attacks in the single-key setting on the 4-round reduced Hierocrypt-3 with 256-bit key. The first attack is based on the differential enumeration approach where we propose a truncated differential characteristic in the first 2.5 rounds and match a multiset of state differences at its output. The other attack is based on the original meet-in-the-middle attack strategy proposed by Demirci and Selcuk at FSE 2008 to attack reduced versions of both AES-192 and AES-256. For our attack based on the differential enumeration, the master key is recovered with data complexity of

Meet-in-the-Middle Attacks on Reduced Round Piccolo

2^{113}

Improved Meet-in-the-Middle Attacks on Reduced Round Kuznyechik

2113 chosen plaintexts, time complexity of

Truncated and Multiple Differential Cryptanalysis of Reduced Round Midori128

2^{238}