TY - GEN
T1 - Algebraic Cryptanalysis of Variants of Frit
AU - Dobraunig, Christoph
AU - Eichlseder, Maria
AU - Mendel, Florian
AU - Schofnegger, Markus
PY - 2020/1/10
Y1 - 2020/1/10
N2 - Frit is a cryptographic 384-bit permutation recently proposed by Simon et al. and follows a novel design approach for built-in countermeasures against fault attacks. We analyze the cryptanalytic security of Frit in different use cases and propose attacks on the full-round primitive. We show that the inverse of Frit is significantly weaker than Frit from an algebraic perspective, despite the better diffusion of the inverse of the mixing functions Its round function has an effective algebraic degree of only about 1.325. We show how to craft structured input spaces to linearize up to 4 (or, conditionally, 5) rounds and thus further reduce the degree. As a result, we propose very low-dimensional start-in-the-middle zero-sum partitioning distinguishers for unkeyed Frit, as well as integral distinguishers for reduced-round Frit and full-round We also consider keyed Frit variants using Even-Mansour or arbitrary round keys. By using optimized interpolation attacks and symbolically evaluating up to 5 rounds of we obtain key-recovery attacks with a complexity of either chosen plaintexts and time, or chosen ciphertexts and time (about 5 seconds in practice).
AB - Frit is a cryptographic 384-bit permutation recently proposed by Simon et al. and follows a novel design approach for built-in countermeasures against fault attacks. We analyze the cryptanalytic security of Frit in different use cases and propose attacks on the full-round primitive. We show that the inverse of Frit is significantly weaker than Frit from an algebraic perspective, despite the better diffusion of the inverse of the mixing functions Its round function has an effective algebraic degree of only about 1.325. We show how to craft structured input spaces to linearize up to 4 (or, conditionally, 5) rounds and thus further reduce the degree. As a result, we propose very low-dimensional start-in-the-middle zero-sum partitioning distinguishers for unkeyed Frit, as well as integral distinguishers for reduced-round Frit and full-round We also consider keyed Frit variants using Even-Mansour or arbitrary round keys. By using optimized interpolation attacks and symbolically evaluating up to 5 rounds of we obtain key-recovery attacks with a complexity of either chosen plaintexts and time, or chosen ciphertexts and time (about 5 seconds in practice).
KW - cryptanalysis
KW - Frit
KW - higher-order differentials
KW - interpolation attack
KW - Interpolation
KW - Cryptanalysis
KW - Higher-order differentials
UR - http://www.scopus.com/inward/record.url?scp=85079542579&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-030-38471-5_7
DO - https://doi.org/10.1007/978-3-030-38471-5_7
M3 - Conference paper
SN - 9783030384708
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 149
EP - 170
BT - Selected Areas in Cryptography – SAC 2019 - 26th International Conference, Revised Selected Papers
A2 - Paterson, Kenneth G.
A2 - Stebila, Douglas
PB - Springer
T2 - 26th International Conference on Selected Areas in Cryptography
Y2 - 12 August 2019 through 16 August 2019
ER -