[Resource Topic] 2024/1559: Mind the Composition of Toffoli Gates: Structural Algebraic Distinguishers of ARADI

Resource Secret-key cryptography
#1

Welcome to the resource topic for 2024/1559

Title:
Mind the Composition of Toffoli Gates: Structural Algebraic Distinguishers of ARADI

Authors: Emanuele Bellini, Mohamed Rachidi, Raghvendra Rohit, Sharwan K. Tiwari

Abstract:

This paper reveals a critical flaw in the design of ARADI, a recently proposed low-latency block cipher by NSA researchers – Patricia Greene, Mark Motley, and Bryan Weeks. The weakness exploits the specific composition of Toffoli gates in the round function of ARADI’s nonlinear layer, and it allows the extension of a given algebraic distinguisher to one extra round without any change in the data complexity. More precisely, we show that the cube-sum values, though depending on the secret key bits, are always equal in two of the state words. Such a structural property is difficult to obtain by the direct application of division property and has never been seen before in any state-of-the-art block cipher. We call this structural property \textit{weakly-composed-Toffoli gates}, and introduce a theoretical framework which can describe it in general terms. We present algebraic distinguishers that reach 8 out of 16 rounds of ARADI. Most notably, we show that these distinguishers have better data complexities than the division property-based distinguishers for the same number of rounds. We further investigate whether changing the linear layer or the order of composition of Toffoli gates could avoid this property. We give a negative answer to the same and show that it is impossible to prevent this structural property unless the nonlinear layer is re-designed. As a side result, we provide a key-recovery attack on 10 rounds ARADI with 2^{124} data and 2^{177} time for a 256-bit key. Our work highlights the significance of security analysis during the cipher design phase, and shows that these strong structural distinguishers could have been avoided during this phase.

ePrint: https://eprint.iacr.org/2024/1559

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .