| In the current era of network interconnection,information is everywhere,and ciphers are the cornerstone of guaranteeing information security.As one of the cryptographic systems,symmetric-key ciphers have been widely used.Hence,their security should be evaluated thoughtfully.With the development of ciphers,there have been many cryptanalytic methods,including differential cryptanalysis,linear cryptanalysis,integral cryptanalysis and so on,as well as extensions of these methods.Meanwhile,the design criteria of ciphers also developed continuously.Thus,in order to make further evaluation on their security,one has to explore new non-random properties to construct novel cryptanalytic methods,or try to improve and refine those existing methods.To efficiently recognize non-random propertiess,cryptanalysts have introduced some automated searching tools such as STP and MILP.Besides,these tools have also been used to mount key recovery attacks.This paper aims to explore novel cryptanalytic methods and works from three research directions including linear cryptanalysis,integral-like cryptanalyses and their connections with linear-like ones,security evaluation of lightweight lowlatency ciphers.As a result,we construct three novel cryptanalytic methods,including the extension of Matsui’s Algorithm 1 to linear hulls revisited,deterministic related-key statistical saturation cryptanalysis,probabilistic relatedkey statistical saturation cryptanalysis.Meanwhile,we also construct an automated searching algorithm aiming at differential-like key recovery attacks suitable for two-branch ciphers.Detailed background,motivation and results are shown as follows.Research on Linear Cryptanalysis:Linear cryptanalysis was proposed by Matsui,where a linear approximation with high correlation is exploited.With this approximation,Matsui proposed two types of algorithms(Algorithm 1 and Algorithm 2)to recover key bits.However,these two algorithms are based on the assumption that there is no linear hull effect of the target cipher.With the development of ciphers,this assumption doesn’t hold anymore.R?ck and Nyberg proposed the extension of Matsui’1 Algorithm 1 for key-alternating ciphers by taking the linear hull effect into consideration,and constructed several statistical models to distinguish the right key guess from wrong ones.However,experimental results on a toy cipher show that their extension doesn’t accurately give the relation between data complexities and success probabilities,thus,this method cannot give valid and trustful security evaluation on ciphers.Hence,whether one can accurately construct the extension of Matsui’s Algorithm 1 still be an open problem.By exploiting a new methodology,and using new statistical models based on two different types of decision functions,this paper proposes the extension of Matsui’s Algorithm 1 to linear hulls revisited.Experimental results show that this revised method can accurately predict the relation between data complexities and success probabilities.Hence,this method is the first accurate analysis of the extension of Matsui’s Algorithm 1 to linear hulls.To illustrate the usefulness of our new methods,we apply them to one of the ten finalists of the National Institute of Standards and Technology Lightweight Cryptography Standardization project:TinyJAMBU.We provide the first cryptanalysis under the nonce-respecting setting on the full TinyJAMBU vl and the round-reduced TinyJAMBU v2,where partial key bits are recovered.Both results are the best ones on TinyJAMBU.Integral-Like Cryptanalyses and their Connections with Linear-Like Cryptanalyses:Zero-Correlation cryptanalysis is a variant of linear cryptanalysis,which was proposed by Bogdanov and Rijmen.Later,Bogdanov and Wang proposed the zero-correlation cryptanalysis with reduced data complexity.These two methods utilize the linear hull with correlation zero,which holds for any key.Key difference invariant bias technique was proposed by Bogdanov et al.is another integral-like method,which exploits the non-random property in the related-key setting,i.e.the difference of these two correlations evaluated under related keys is zero.Therefore,this distinguisher can be seen as the extension of the distinguisher used in zero-correlation methods.Integral cryptanalysis was proposed by Daemen,Knudsen and Wagner.It utilizes plaintexts that fixed in some bits while taking all possible values in the others,and tries to find the balanced property or zero-sum property of the ciphertext sets.The statistical saturation cryptanalysis was proposed by Collard and Standaert,which is a variant of integral attack.It uses the same plaintext set as the one utilized in integral attack,and explores the non-random property of value distribution of the ciphertext set.To reduce the data complexity needed in the integral cryptanalysis,Wang et al.proposed the statistical integral cryptanalysis.All these three methods utilize the non-random property in the single-key setting.Compared with linear-like methods,whether there exists non-random properties in the related-key setting for integral-like methods is unknown.Bogdanov et al.also proved that the integral distinguisher is conditional equivalent with the zero-correlation one.Notice that the distinguisher used in the key difference invariant bias technique can be regarded as the extension of zero-correlation distinguisher in the related-key setting.Hence,whether the distinguisher used in the related-key integral-like method can be conditional equivalent with the one used in the key difference invariant bias technique is also unknown.This paper constructs the deterministic related-key statistical saturation cryptanalysis,which exploits the non-random property in the related-key setting,i.e.when the plaintext fulfills that some bits are fixed while the others taking all possible values,some part of the ciphertexts encrypted under related keys will have the same value distribution.Meanwhile,this paper also proves that the deterministic related-key statistical saturation distinguisher is conditional equivalent with the distinguisher used in the key difference invariant bias technique.Inspired by the statistical integral,this paper also constructs probabilistic related-key statistical saturation cryptanalysis with the help of the Stuart-Maxwell test of marginal homogeneity.This method uses the same distinguisher exploited in the deterministic one while it needs lower data complexities.The deterministic and probabilistic related-key statistical saturation cryptanalyses fill in the theoretical gaps in the related-key setting.With the deterministic one,this paper proposes a 10round key recovery attack on QARMA-64 considering outer whitening keys.This is the first valid related-key attack on QARMA-64.With the probabilistic one,this paper obtains the best key recovery attacks considering both whitening keys on Piccolo,and the fastest key recovery attacks on full-round LiCi-2.Security Evaluation of Lightweight Low-Latency Ciphers:Lightweight ciphers are designed to suitable for resource-restricted application environments,thus,whether they have enough security is valuable to study.Orthros is a lowlatency keyed pseudorandom function proposed in FSE 2022,which takes a twobranch overall structure.Given the 128-bit input,Orthros will firstly copy it into two same parts and then input them into these two keyed permutations used in these two branches,respectively.The XORed value of outputs from these two branches is the output of Orthros.As claimed by the designers,benefiting from this two-branch structure,mounting key recovery attacks on such ciphers is difficult.We construct an automated searching algorithm for such two-branch ciphers aiming at differential-like attacks,which has unified the distinguisher searching process,key recovery procedure and attack complexity evaluation.In this way,one can find available key recovery attacks along with the distinguisher exploited in this attack.This automatic searching model is the first automatic cryptanalytic model for two-branch ciphers.Using this model,we can mount a differential-linear key recovery attack on 7-round Orthros,which is the best attack result on Orthros.Besides,a 6-round key recovery attack on Orthros using the differential cryptanalysis is also given.Both results are the first key recovery attacks on Orthros. |