Advances in cryptology – ASIACRYPT 2016 22nd international conference part II

crypt-Contents – Part IIAsiacrypt 2016 Award Papers Nonlinear Invariant Attack: Practical Attack on FullSCREAM, iSCREAM, and Midori64.. Nonlinear Invariant Attack Practical Attack on Ful

Jung Hee Cheon

123

22nd International Conference on the Theory

and Application of Cryptology and Information Security Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II Advances in Cryptology – ASIACRYPT 2016

Lecture Notes in Computer Science 10032Commenced Publication in 1973

Founding and Former Series Editors:

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

More information about this series at http://www.springer.com/series/7410

Jung Hee Cheon • Tsuyoshi Takagi (Eds.)

ASIACRYPT 2016

22nd International Conference on the Theory

and Application of Cryptology and Information Security

Proceedings, Part II

123

Jung Hee Cheon

Seoul National University

Seoul

Korea (Republic of)

Tsuyoshi TakagiKyushu UniversityFukuoka

Japan

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science

ISBN 978-3-662-53889-0 ISBN 978-3-662-53890-6 (eBook)

DOI 10.1007/978-3-662-53890-6

Library of Congress Control Number: 2016956613

LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2016

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on micro films or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a speci fic statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer-Verlag GmbH Germany

The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany

ASIACRYPT 2016, the 22nd Annual International Conference on Theory andApplication of Cryptology and Information Security, was held at InterContinentalHanoi Westlake Hotel in Hanoi, Vietnam, during December 4–8, 2016 The conferencefocused on all technical aspects of cryptology, and was sponsored by the InternationalAssociation for Cryptologic Research (IACR)

Asiacrypt 2016 received a total of 240 submissions from all over the world TheProgram Committee selected 67 papers from these submissions for publication in theproceedings of this conference The review process was made via the usual double-blind pier review by the Program Committee comprising 43 leading experts in thefield.Each submission was reviewed by at least three reviewers and five reviewers wereassigned to submissions co-authored by Program Committee members This year, theconference operated a two-round review system with a rebuttal phase In thefirst-roundreview the Program Committee selected the 140 submissions that were considered ofvalue for proceeding to the second round In the second-round review the ProgramCommittee further reviewed the submissions by taking into account their rebuttal letterfrom the authors The selection process was assisted by a total of 309 externalreviewers These two-volume proceedings contain the revised versions of the papersthat were selected The revised versions were not reviewed again and the authors areresponsible for their contents

The program of Asiacrypt 2016 featured three excellent invited talks Nadia Heningergave a talk on“The Reality of Cryptographic Deployments on the Internet,” HoeteckWee spoke on “Advances in Functional Encryption,” and Neal Koblitz gave a non-technical lecture on“Cryptography in Vietnam in the French and American Wars.” Theconference also featured a traditional rump session that contained short presentations onthe latest research results of thefield The Program Committee selected the work “FasterFully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds” by IlariaChillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène for the Best PaperAward of Asiacrypt 2016 Two more papers,“Nonlinear Invariant Attack—PracticalAttack on Full SCREAM, iSCREAM, and Midori64” by Yosuke Todo, Gregor Leander,

Yu Sasaki and “Cliptography: Clipping the Power of Kleptographic Attacks” byAlexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou were solicited to submitfull versions to the Journal of Cryptology

Many people contributed to the success of Asiacrypt 2016 We would like to thankthe authors for submitting their research results to the conference We are very grateful

to all of the Program Committee members as well as the external reviewers for theirfruitful comments and discussions on their areas of expertise We are greatly indebted toNgo Bao Chau and Phan Duong Hieu, the general co-chairs for their efforts and overallorganization We would also like to thank Nguyen Huu Du, Nguyen Quoc Khanh,Nguyen Duy Lan, Duong Ngoc Thai, Nguyen Ta Toan Khoa, Nguyen Ngoc Tuan,

Le Thi Lan Anh, and the local Organizing Committee for their continuous supports.

We thank Steven Galbraith for expertly organizing and chairing the rump session.Finally we thank Shai Halevi for letting us use his nice software for supporting thepaper submission and review process We also thank Alfred Hofmann, Anna Kramer,and their colleagues at Springer for handling the editorial process of the proceedings

We would like to express our gratitude to our partners and sponsors: XLIM, MicrosoftResearch, CISCO, Intel, Google

Tsuyoshi Takagi

VI Preface

ASIACRYPT 2016

The 22nd Annual International Conference on Theory and Application of Cryptology and Information SecuritySponsored by the International Association for Cryptologic Research (IACR)

December 4–8, 2016, Hanoi, VietnamGeneral Co-chairs

Ngo Bao Chau VIASM, Vietnam and University of Chicago, USAPhan Duong Hieu XLIM, University of Limoges, France

Program Co-chairs

Jung Hee Cheon Seoul National University, Korea

Tsuyoshi Takagi Kyushu University, Japan

Program Committee

Elena Andreeva KU Leuven, Belgium

Xavier Boyen Queensland University of Technology, AustraliaAnne Canteaut Inria, France

Chen-Mou Cheng National Taiwan University, Taiwan

Sherman S.M Chow Chinese University of Hong Kong, Hong Kong,

SAR ChinaNico Döttling University of California, Berkeley, USA

Thomas Eisenbarth Worcester Polytechnic Institute, USA

Georg Fuchsbauer École Normale Supérieure, France

Steven Galbraith Auckland University, New Zealand

Sanjam Garg University of California, Berkeley, USA

Vipul Goyal Microsoft Research, India

Jens Groth University College London, UK

Sylvain Guilley Secure-IC S.A.S., France

Alejandro Hevia Universidad de Chile, Chile

Antoine Joux Foundation UPMC and LIP6, France

Xuejia Lai Shanghai Jiaotong University, China

Hyung Tae Lee Nanyang Technological University, SingaporeKwangsu Lee Sejong University, Korea

Dongdai Lin Chinese Academy of Sciences, China

Feng-Hao Liu Florida Atlantic University, USA

Takahiro Matsuda AIST, Japan

Alexander May Ruhr University Bochum, Germany

Florian Mendel Graz University of Technology, Austria

Amir Moradi Ruhr University Bochum, Germany

Svetla Nikova KU Leuven, Belgium

Tatsuaki Okamoto NTT, Japan

Elisabeth Oswald University of Bristol, UK

Thomas Peyrin Nanyang Technological University, SingaporeRei Safavi-Naini University of Calgary, Canada

Peter Schwabe Radboud University, The Netherlands

Jae Hong Seo Myongji University, Korea

Damien Stehlé ENS de Lyon, France

Ron Steinfeld Monash University, Australia

Rainer Steinwandt Florida Atlantic University, USA

Daisuke Suzuki Mitsubishi Electric, Japan

Mehdi Tibouchi NTT, Japan

Hoang Viet Tung University of California Santa Barbara, USADominique Unruh University of Tartu, Estonia

Ivan Visconti University of Salerno, Italy

Huaxiong Wang Nanyang Technological University, SingaporeMeiqin Wang Shandong University, China

Céline BlondeauTobias BoelterCarl BootlandJonathan BootleYuri BorissovChristina BouraColin BoydWouter CastryckDario CatalanoAndrea CerulliGizem CetinPyrros ChaidosNishanth ChandranYu-Chen ChangLin ChangluBinyi ChenCong ChenJie Chen

Ming-Shing Chen

Yu Chen

Céline ChevalierChongwon ChoKyu Young ChoiHeeWon ChungKai-Min ChungEloi de ChériseyMichele CiampiCraig CostelloJoan DaemenRicardo DahabWei DaiBernardo DavidThomas de CnuddeDavid DerlerApoorvaa DeshpandeChristoph DobraunigYarkin DorozMing Duan

Léo DucasVIII ASIACRYPT 2016

Dung Hoang Duong

Ai IshidaTakanori IsobeTetsu IwataAayush JainSune JakobsenYin JiaShaoquan JiangChethan KamathSabyasachi KaratiSayasachi KaratiYutaka KawaiCarmen KempkaHeeSeok KimHyoseung KimJinsu KimMyungsun KimTaechan KimPaul KirchnerElena KirshanovaFuyuki KitagawaSusumu KiyoshimaJessica KochMarkulf KohlweissVladimir KolesnikovThomas KorakYoshihiro KosekiAshutosh KumarRanjit KumaresanPo-Chun KuoRobert KüblerThijs LaarhovenChing-Yi LaiRussell W.F LaiVirginie LallemandAdeline LangloisSebastian Lauer

Su LeGregor LeanderKwangsu Lee

Gặtan LeurentAnthony LeverrierJingwei LiMing LiWen-Ding Li

Benoit LibertFuchun LinTingting LinMeicheng LiuYunwen LiuZhen LiuZidong LuYiyuan LuoAtul LuykxVadim LyubashevskyBernardo MagriMary MallerAlex MalozemoffAntonio MarcedoneBenjamin MartinDaniel MartinMarco MartinoliDaniel MasnyMaike MassiererMitsuru MatsuiWilli MeierBart MenninkPeihan MiaoKazuhiko MinematsuNicky MouhaPratyay MukherjeeSean Murphy

Jưrn Müller-QuadeValérie NachefMichael NaehrigMatthias NagelYusuke NaitoMridul NandiMaría Naya-PlasenciaKartik NayakKhoa NguyenIvica NikolicVentzislav NikovRyo NishimakiAnca NitulescuKoji NuidaMaciej ObremskiToshihiro OhigashiMiyako OhkuboSumit Kumar PandeyJong Hwan ParkASIACRYPT 2016 IX

Berk SunarKoutarou SuzukiAlan SzepieniecMostafa TahaSomayeh TaheriJunko TakahashiKatsuyuki TakashimaBenjamin TanJean-Pierre TillichJunichi TomidaYiannis TselekounisHimanshu TyagiThomas UnterluggauerDamien VergnaudGilles VillardVanessa VitseDamian VizarMichael WalterHan WangHao WangQiungju WangWei WangYuyu WangYohei WatanabeHoeteck WeeWei WeiMor WeissMario WernerBas Westerbaan

Carolyn WhitnallAlexander WildBaofeng WuKeita XagawaZejun XiangHong XuWeijia XueShota YamadaTakashi YamakawaHailun YanJun YanBo-Yin YangBohan YangGuomin YangMohan YangShang-Yi YangKan YasudaXin YeWentan YiScott YilekKazuki YoneyamaRina ZeitounFan ZhangGuoyan ZhangLiang Feng ZhangLiangfeng ZhangTao ZhangWentao ZhangYusi ZhangZongyang ZhangJingyuan ZhaoYongjun ZhaoYixin ZhongHong-Sheng ZhouXiao ZhouJincheng Zhuang

Nguyen Quoc Khanh Vietcombank, Vietnam

Nguyen Duy Lan Microsoft Research, USA

Duong Ngoc Thai Google, USA

Nguyen Ta Toan Khoa NTU, Singapore

Nguyen Ngoc Tuan VIASM, Vietnam

Le Thi Lan Anh VIASM, Vietnam

Invited Talks

Advances in Functional Encryption

Hoeteck WeeENS, Paris, Francewee@di.ens.frAbstract.Functional encryption is a novel paradigm for public-key encryption thatenables bothfine-grained access control and selective computation on encrypteddata, as is necessary to protect big, complex data in the cloud In this talk, I willprovide a brief introduction to functional encryption and an overview of the state

of the art, with a focus on constructions based on lattices

CNRS, INRIA and Columbia University Supported in part by ERC Project aSCEND (H2020 639554) and NSF Award CNS-1445424.

The Reality of Cryptographic Deployments

on the Internet

Nadia HeningerUniversity of Pennsylvania, Philadelphia, USA

Abstract.Security proofs for cryptographic primitives and protocols rely on anumber of (often implicit) assumptions about the world in which these compo-nents live They assume that implementations are correct, that specifications arefollowed, that systems make sensible choices about error conditions, and thatreliable sources of random numbers are present However, a number of real worldstudies examining cryptographic deployments have shown that these assump-tions are often not true on a large scale, with catastrophic effects for security

In addition to simple programming errors, many real-world cryptographic nerabilities can be traced back to more complex underlying causes, such asbackwards compatibility, legacy protocols and software, hard-coded resourcelimits, and political interference in design choices

vul-Many of these issues appear on the surface to be at an entirely different level

of abstraction from the cryptographic primitives used in their construction.However, by taking advantage of the structure of many cryptographic primitiveswhen used at Internet scale, it is possible to uncover fundamental vulnerabilities

in implementations I will discuss the interplay between mathematical analysis techniques and the thorny implementation issues that lead to vulnerablecryptographic deployments in the real world

crypt-Contents – Part II

Asiacrypt 2016 Award Papers

Nonlinear Invariant Attack: Practical Attack on FullSCREAM,

iSCREAM, and Midori64 3Yosuke Todo, Gregor Leander, and Yu Sasaki

Cliptography: Clipping the Power of Kleptographic Attacks 34Alexander Russell, Qiang Tang, Moti Yung, and Hong-Sheng Zhou

Zero Knowledge

Zero-Knowledge Accumulators and Set Algebra 67Esha Ghosh, Olga Ohrimenko, Dimitrios Papadopoulos,

Roberto Tamassia, and Nikos Triandopoulos

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based

Group Encryption 101Benoît Libert, San Ling, Fabrice Mouhartem, Khoa Nguyen,

and Huaxiong Wang

Post Quantum Cryptography

From 5-PassMQ-Based Identification to MQ-Based Signatures 135Ming-Shing Chen, Andreas Hülsing, Joost Rijneveld,

Simona Samardjiska, and Peter Schwabe

Collapse-Binding Quantum Commitments Without Random Oracles 166Dominique Unruh

Digital Signatures Based on the Hardness of Ideal Lattice Problems

in All Rings 196Vadim Lyubashevsky

Selective-Opening Security in the Presence of Randomness Failures 278Viet Tung Hoang, Jonathan Katz, Adam O’Neill, and Mohammad Zaheri

Efficient KDM-CCA Secure Public-Key Encryption

for Polynomial Functions 307Shuai Han, Shengli Liu, and Lin Lyu

Structure-Preserving Smooth Projective Hashing 339Olivier Blazy and Céline Chevalier

Digital Signature

Signature Schemes with Efficient Protocols and Dynamic Group Signatures

from Lattice Assumptions 373Benoît Libert, San Ling, Fabrice Mouhartem, Khoa Nguyen,

and Huaxiong Wang

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption 404Xavier Boyen and Qinyi Li

From Identification to Signatures, Tightly: A Framework and Generic

Transforms 435Mihir Bellare, Bertram Poettering, and Douglas Stebila

How to Obtain Fully Structure-Preserving (Automorphic) Signatures

from Structure-Preserving Ones 465Yuyu Wang, Zongyang Zhang, Takahiro Matsuda, Goichiro Hanaoka,

and Keisuke Tanaka

Functional and Homomorphic Cryptography

Multi-key Homomorphic Authenticators 499Dario Fiore, Aikaterini Mitrokotsa, Luca Nizzardo, and Elena Pagnin

Multi-input Functional Encryption with Unbounded-Message Security 531Vipul Goyal, Aayush Jain, and Adam O’Neill

Verifiable Functional Encryption 557Saikrishna Badrinarayanan, Vipul Goyal, Aayush Jain, and Amit Sahai

ABE and IBE

Dual System Encryption Framework in Prime-Order Groups

via Computational Pair Encodings 591Nuttapong Attrapadung

XVIII Contents– Part II

Efficient IBE with Tight Reduction to Standard Assumption

in the Multi-challenge Setting 624Junqing Gong, Xiaolei Dong, Jie Chen, and Zhenfu Cao

Déjà Q All Over Again: Tighter and Broader Reductions

of q-Type Assumptions 655Melissa Chase, Mary Maller, and Sarah Meiklejohn

Partitioning via Non-linear Polynomial Functions: More Compact IBEs

from Ideal Lattices and Bilinear Maps 682Shuichi Katsumata and Shota Yamada

Foundation

How to Generate and Use Universal Samplers 715Dennis Hofheinz, Tibor Jager, Dakshita Khurana, Amit Sahai,

Brent Waters, and Mark Zhandry

Iterated Random Oracle: A Universal Approach for Finding Loss

in Security Reduction 745Fuchun Guo, Willy Susilo, Yi Mu, Rongmao Chen, Jianchang Lai,

and Guomin Yang

NIZKs with an Untrusted CRS: Security in the Face of Parameter

Subversion 777Mihir Bellare, Georg Fuchsbauer, and Alessandra Scafuro

Cryptographic Protocol

Universal Composition with Responsive Environments 807Jan Camenisch, Robert R Enderlein, Stephan Krenn, Ralf Küsters,

and Daniel Rausch

A Shuffle Argument Secure in the Generic Model 841Prastudy Fauzi, Helger Lipmaa, and Michał Zając

Efficient Public-Key Distance Bounding Protocol 873Handan Kılınç and Serge Vaudenay

Indistinguishable Proofs of Work or Knowledge 902Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias,

and Bingsheng Zhang

Multi-party Computation

Size-Hiding Computation for Multiple Parties 937Kazumasa Shinagawa, Koji Nuida, Takashi Nishide, Goichiro Hanaoka,

and Eiji Okamoto

Contents– Part II XIX

How to Circumvent the Two-Ciphertext Lower Bound for Linear

Garbling Schemes 967Carmen Kempka, Ryo Kikuchi, and Koutarou Suzuki

Constant-Round Asynchronous Multi-Party Computation Based

on One-Way Functions 998Sandro Coretti, Juan Garay, Martin Hirt, and Vassilis Zikas

Reactive Garbling: Foundation, Instantiation, Application 1022Jesper Buus Nielsen and Samuel Ranellucci

Author Index 1053

XX Contents– Part II

Contents – Part I

Asiacrypt 2016 Best Paper

Faster Fully Homomorphic Encryption: Bootstrapping in Less

Than 0.1 Seconds 3Ilaria Chillotti, Nicolas Gama, Mariya Georgieva,

and Malika Izabachène

Mathematical Analysis I

A General Polynomial Selection Method and New Asymptotic

Complexities for the Tower Number Field Sieve Algorithm 37Palash Sarkar and Shashank Singh

On the Security of Supersingular Isogeny Cryptosystems 63Steven D Galbraith, Christophe Petit, Barak Shani, and Yan Bo Ti

AES and White-Box

Simpira v2: A Family of Efficient Permutations Using the AES

Round Function 95Shay Gueron and Nicky Mouha

Towards Practical Whitebox Cryptography: Optimizing Efficiency

and Space Hardness 126Andrey Bogdanov, Takanori Isobe, and Elmar Tischhauser

Efficient and Provable White-Box Primitives 159Pierre-Alain Fouque, Pierre Karpman, Paul Kirchner,

and Brice Minaud

Hash Function

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal

Multiplicative Complexity 191Martin Albrecht, Lorenzo Grassi, Christian Rechberger, Arnab Roy,

and Tyge Tiessen

Balloon Hashing: A Memory-Hard Function Providing Provable Protection

Against Sequential Attacks 220Dan Boneh, Henry Corrigan-Gibbs, and Stuart Schechter

Linear Structures: Applications to Cryptanalysis

of Round-Reduced KECCAK 249Jian Guo, Meicheng Liu, and Ling Song

Statistical Fault Attacks on Nonce-Based Authenticated Encryption

Schemes 369Christoph Dobraunig, Maria Eichlseder, Thomas Korak, Victor Lomné,

and Florian Mendel

Authenticated Encryption with Variable Stretch 396Reza Reyhanitabar, Serge Vaudenay, and Damian Vizár

Design Strategies for ARX with Provable Bounds: SPARXand LAX 484Daniel Dinu, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov,

Johann Großschädl, and Alex Biryukov

SCA and Leakage Resilience I

Side-Channel Analysis Protection and Low-Latency in Action:

– Case Study of PRINCE and Midori – 517Amir Moradi and Tobias Schneider

XXII Contents– Part I

Characterisation and Estimation of the Key Rank Distribution

in the Context of Side Channel Evaluations 548Daniel P Martin, Luke Mather, Elisabeth Oswald, and Martijn Stam

Taylor Expansion of Maximum Likelihood Attacks for Masked

and Shuffled Implementations 573Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Olivier Rioul,

François-Xavier Standaert, and Yannick Teglia

Unknown-Input Attacks in the Parallel Setting: Improving the Security

of the CHES 2012 Leakage-Resilient PRF 602Marcel Medwed, François-Xavier Standaert, Ventzislav Nikov,

and Martin Feldhofer

Block Cipher II

A New Algorithm for the Unbalanced Meet-in-the-Middle Problem 627Ivica Nikolić and Yu Sasaki

Applying MILP Method to Searching Integral Distinguishers Based

on Division Property for 6 Lightweight Block Ciphers 648Zejun Xiang, Wentao Zhang, Zhenzhen Bao, and Dongdai Lin

Reverse Cycle Walking and Its Applications 679Sarah Miracle and Scott Yilek

Cryptographic Applications of Capacity Theory: On the Optimality

of Coppersmith’s Method for Univariate Polynomials 759Ted Chinburg, Brett Hemenway, Nadia Heninger, and Zachary Scherr

A Key Recovery Attack on MDPC with CCA Security

Using Decoding Errors 789Qian Guo, Thomas Johansson, and Paul Stankovski

SCA and Leakage Resilience II

A Tale of Two Shares: Why Two-Share Threshold Implementation Seems

Worthwhile—and Why It Is Not 819Cong Chen, Mohammad Farmani, and Thomas Eisenbarth

Contents– Part I XXIII

Cryptographic Reverse Firewall via Malleable Smooth Projective

Hash Functions 844Rongmao Chen, Yi Mu, Guomin Yang, Willy Susilo, Fuchun Guo,

and Mingwu Zhang

Efficient Public-Key Cryptography with Bounded Leakage

and Tamper Resilience 877Antonio Faonio and Daniele Venturi

Public-Key Cryptosystems Resilient to Continuous Tampering and Leakage

of Arbitrary Functions 908Eiichiro Fujisaki and Keita Xagawa

Author Index 939XXIV Contents– Part I

Asiacrypt 2016 Award Papers

Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64

Yosuke Todo1,3(B), Gregor Leander2, and Yu Sasaki1

1 NTT Secure Platform Laboratories, Tokyo, Japan

{todo.yosuke,sasaki.yu}@lab.ntt.co.jp

2 Horst G¨ortz Institute for IT Security,Ruhr-Universit¨at Bochum, Bochum, Germany

gregor.leander@rub.de

3 Kobe University, Hyogo, Japan

Abstract In this paper we introduce a new type of attack, called

nonlinear invariant attack As application examples, we present new

attacks that are able to distinguish the full versions of the (tweakable)block ciphers Scream, iScream and Midori64 in a weak-key setting Thoseattacks require only a handful of plaintext-ciphertext pairs and have min-imal computational costs Moreover, the nonlinear invariant attack onthe underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR.The plaintext of the authenticated encryption schemes SCREAM andiSCREAM can be practically recovered only from the ciphertexts in thenonce-respecting setting This is the first result breaking a security claim

of SCREAM Moreover, the plaintext in Midori64 with well-known modes

of operation can practically be recovered All of our attacks are mentally verified

experi-Keywords: Nonlinear invariant attack·Boolean function·only message-recovery attack·SCREAM·iSCREAM·Midori64·CAE-SAR competition

Block ciphers are certainly among the most important cryptographic primitives.Since the invention of the DES [1] in the mid 70’s and even more with the design

of the AES [2], a huge amount of research has been done on various aspects

of block cipher design and block cipher analysis In the last decade, many newblock ciphers have been proposed that aim at highly resource constrained devices.Driven by new potential applications like the internet of things, we have wit-nessed not only many new designs, but also several new cryptanalytic results.Today, we have at hand a well established set of cryptanalytic tools that, whenare carefully applied, allow to gain significant confidence in the security of ablock cipher design The most prominent tools here are certainly differential [5]and linear [21] attacks and their numerous variations [4,7,14,15]

c

 International Association for Cryptologic Research 2016

J.H Cheon and T Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp 3–33, 2016.

4 Y Todo et al.

Despite this fact, quite some of the recently proposed lightweight blockciphers got broken rather quickly One of the reasons for those attacks, on what issupposed to be a well-understood field of cryptographic designs, is that the newlightweight block ciphers are designed more aggressive than e.g most of the AEScandidates Especially when it comes to the design of the key schedule, many newproposals keep the design very simple, often using identical round keys Whilethere is no general defect with such a key schedule, structural attacks becomemuch more of an issue compared to a cipher that deploys a more complicated key

schedule In this paper we introduce a new structural attack, named nonlinear

invariant attack At first glance, it might seem quite unlikely that such an attack

could ever be successfully applied However, we give several examples of ciphersthat are highly vulnerable to this attack

function g, g(p) ⊕g(E k (p)) is constant for any plaintext p and any weak key k On

the other hand, the probability that random permutations have this property isabout 2−N+1 when g is balanced Therefore, attackers can immediately execute

a distinguishing attack Moreover, if the constant depends on the secret key, anattacker can recover one bit of information about the secret key by using oneknown plaintext-ciphertext pair

For round-based block ciphers, our attack builds the nonlinear invariantsfrom the nonlinear invariants of the single round functions In order to extendthe nonlinear invariant for a single round to the whole cipher, all round-keysmust be weak keys It may be infeasible to find such weak-key classes for blockciphers with a non-trivial key schedule However, as mentioned above, manyrecent block ciphers are designed for lightweight applications, and they adoptmore aggressive designs to achieve high performance even in highly constrainedenvironments Several lightweight ciphers do not deploy any key schedule at all,but rather use the master key directly as the identical round key for all rounds

In such a situation, the weak-key class of round keys is trivially converted intothe weak-key class of the secret key In particular, when all round keys are weak,this property is iterative over an arbitrary number of rounds

(Ciphertext-Only) Message-Recovery Attacks. The most surprisingapplication of the nonlinear invariant attack is an extension to ciphertext-onlymessage-recovery attacks Clearly, we cannot execute any ciphertext-only attack

Nonlinear Invariant Attack 5

without some information on the plaintexts Therefore, our attack is only attack under the following environments Suppose that block ciphers whichare vulnerable against the nonlinear invariant attack are used in well-knownmodes of operation, e.g., CBC, CFB, OFB, and CTR Then, if the same unknownplaintext is encrypted by the same weak key and different initialization vectors,attackers can practically recover a part of the plaintext from the ciphertextsonly

ciphertext-Applications We demonstrate that our new attack practically breaks the full

authenticated encryption schemes SCREAM1[11] and iSCREAM [10] and thelow-energy block cipher Midori64 [3] in the weak-key setting

Table 1 Summary of the nonlinear invariant attack

# of weak keys Max # of recovered bits Data complexity Time complexity

h is the number of blocks in the mode of operation.

We show that the tweakable block ciphers Scream and iScream have a linear invariant function, and the number of weak keys is 296 Midori64 also has

non-a nonlinenon-ar invnon-arinon-ant function, non-and the number of wenon-ak keys is 264 Table1marizes the result of the nonlinear invariant attack against SCREAM, iSCREAM,and Midori64 The use of the tweakable block cipher Scream is defined by theauthenticated encryption SCREAM, and the final block is encrypted like CTRwhen the byte length of a plaintext is not multiple of 16 We exploit this pro-cedure and recover 32 bits of the final block of the plaintext if the final blocklength ranges from 12 bytes to 15 bytes We can also execute a similar attackagainst iSCREAM Note that our attack breaks SCREAM and iSCREAM in thenonce-respecting model Midori64 is a low-energy block cipher, and we considerthe case that Midori64 is used by well-known modes of operation As a result,

sum-we can recover 32 bits in every 64-bit block of the plaintext if Midori64 is used

in CBC, CFB, OFB, and CTR

Comparison with Previous Attacks Leander et al proposed invariant

sub-space attack on iSCREAM [19], which is a weak-key attack working for 296weakkeys The attack can be a distinguishing attack and key recovery attack in thechosen-message and chosen-tweak model Guo et al presented a weak-key attack

on full Midori64 [12], which works for 232weak keys, distinguishes the cipher with

1 chosen-plaintext query, and recovers the key with 216computations

1 Note that throughout the paper SCREAM always refer to the latest version asSCREAM, i.e SCREAM (v3)

6 Y Todo et al.

Compared to [19], our attack has the same weak key size and we distinguishthe cipher in the known-message and chosen-tweak model Compared to [12],our weak-key class is much larger and the cipher is distinguished with 2 known-plaintext queries In both applications, the key space can be reduce by 1 bit,besides a part of message/plaintext can be recovered from the ciphertext

1.2 Related Work

The nonlinear invariant attack can be regarded as an extension of linear analysis [21] While linear cryptanalysis uses a linear function to approximate thecipher, the nonlinear invariant attack uses a nonlinear function and the proba-

crypt-bility of the nonlinear approximation is one When g is linear, ciphers that are

resistant against the linear cryptanalysis never have a linear approximation withprobabilistically one

The use of the nonlinear approximation has previously been studied Thisextension was first discussed by Harpes et al [13], and Knudsen and Robshawlater investigated the effectiveness deeply [16] However, they showed that thereare insurmountable problems in the general use of nonlinear approximations Forinstance, one cannot join nonlinear approximations for more than one round of

a block cipher because the actual approximations depend on the specific value ofthe state and key Knudsen and Robshaw demonstrated that nonlinear approxi-mations can replace linear approximations in the first and last rounds only [16].Unfortunately, nonlinear cryptanalysis has not been successful because of thislimited application Our attack can be seen as the first application of the non-linear cryptanalysis against real ciphers in the past two decades

Other related attacks are the invariant subspace attack [18,19] and ric structures [8,17,23] Similar to the nonlinear invariant attack, those attacksexploit a cryptanalytic property which continues over an arbitrary number ofrounds in the weak-key setting While those attacks have to choose plaintexts,i.e are chosen plaintext attacks, the nonlinear invariant attack does not need tochoose plaintexts in general This in particular allows us to extend the nonlin-ear invariant attack from a pure distinguishing attack to the (ciphertext-only)message-recovery attack

symmet-1.3 Paper Organization

We explain the general ideas and principles of the new attack in Sect.2 Section3explains how, in many cases, the attack can be constructed in an almost auto-matic way using an algorithmic approach that is for most ciphers practical.Moreover, we give a structural reason why some ciphers, more precisely somelinear layers, are inherently weak against our attack and why our attacks arepossible against those ciphers In Sect.4 we explain in detail our attacks onSCREAM and iSCREAM Moreover, Sect.5details our nonlinear invariant attack

on Midori64 Finally, in Sect.6, we give some additional insights into the generalstructure of nonlinear invariant functions and outline some future work

Nonlinear Invariant Attack 7

In this section, we describe the basic principle of the attack and its extension

to (ciphertext-only) message-recovery attacks when used in common modes ofoperations While our attack can be applied to any cipher structure in princi-ple, we focus on the case of key-alternating ciphers and later on substitutionpermutation networks (SPN) ciphers to simplify the description We start byexplaining the basic idea and later how, surprisingly, the attack can be extended

to a (ciphertext-only) message-recovery attack in many scenarios

2.1 Core Idea

Let F :Fn

2 → F n

2 be the round function of a key-alternating cipher and F k (x) =

F (x ⊕ k) be the round function including the key XOR Thus, for an r-round

cipher, the ciphertext C is computed from a plaintext P using round keys k ias

x0= P

x i+1 = F k i (x i ) = F (x i ⊕ k i) 0≤ i ≤ r − 1

C = x r

where we ignore post-whitening key for simplicity

The core idea of the nonlinear invariant attack is to detect a nonlinear

Boolean function g such that

g(F (x ⊕ k)) = g(x ⊕ k) ⊕ c = g(x) ⊕ g(k) ⊕ c ∀x

for many keys k, where c is a constant inF2 Keys for which this equality holds

will be called weak keys The function g itself is called nonlinear invariant in

r−1



i=0 c.

Thus, the invariant is iterative over an arbitrary number of rounds and ately leads to a distinguishing attack

immedi-8 Y Todo et al.

Distinguishing Attack Assume that we found a Boolean function g that is

nonlinear invariant for the round function F k of a block cipher Then, if all

round keys are weak, this function g is also nonlinear invariant over an arbitrary

number of rounds

Let (P i , C i) 1≤ i ≤ N be N pairs of plaintexts and corresponding

cipher-texts Then, g(P i)⊕g(C i ) is constant for all pairs If g is balanced, the probability

that random permutations have this property is about 2−N+1 Note that the case

that g is unbalanced can be handled as well, but is not the main focus of our

paper Therefore, we can practically distinguish the block cipher from random

permutations under a known-plaintext attack

Suitable Nonlinear Invariants We next discuss a particular choice of a

nonlinear invariant g for which it is directly clear that weak keys exist Imagine

we were able to identify a nonlinear invariant g for F , i.e a function such that

g(F (x)) ⊕ g(x)

is constant, such that g is actually linear (or constant) in some of the inputs.

In this case, all round keys that are zero in the nonlinear components of g, are

weak

More precisely, without loss of generality, assume that the nonlinear invariant

g is linear in the last t bits of input (implying that g is nonlinear in the first s

bits of input where s = n − t) Namely, we can view g as

In other words, all those round-keys that are zero in the first s bits are weak.

Phrased differently, the density of weak keys is 2−s

Nonlinear Invariant Attack 9

Example 1 Let g :F4→ F2be a nonlinear invariant as

g(x4, x3, x2, x1) = x4x3⊕ x3⊕ x2⊕ x1.

Then, the function g can be viewed as

g(x4, x3, x2, x1) = f (x4, x3)⊕ (x2, x1).

Now consider a round key k ∈ F2× F2 of the form (0, k  ) Then, the function g

is a nonlinear invariant for the key XOR because

g(x) ⊕ g(x ⊕ k) = g(x) ⊕ g(x) ⊕ g(0, k  ) = g(0, k  ).

On Key Schedule and Round Constants Many block ciphers generate

round keys from the master key by a key schedule For a proper key schedule,

it is very unlikely that all round keys are weak in the above sense However,many recent lightweight block ciphers do not have a well-diffused key schedule,but rather use (parts of) the master key directly as the round keys From aperformance point of view, this approach is certainly preferable

However, the direct XORing with the secret key often causes vulnerabilitieslike the slide attack [6] or the invariant subspace attack [18] To avoid thoseattacks, round constants are additionally XORed in such lightweight ciphers.While dense and random-looking round constant would be a conservative choice,many such ciphers adopt sparse round constants because they are advantageous

in limited memory requirements

Focusing on the case of identical round keys, assume that there is a Boolean

function g which is nonlinear invariant for the round function F Now if all used round constants c i are such that c i is only involved in the linear terms of g, the function g is nonlinear invariant for this constant addition This follows by the

same arguments for the weak keys above We call such constants, in line with

the notation of weak keys from above, weak constant.

To conclude, given a key-alternating cipher with identical round-keys andweak round-constants, any master-key that is weak, is immediately weak for anarbitrary number of rounds In this scenario, the number of weak keys is 2t, orequivalently, the density of weak keys is 2−s

2.2 Message Recovery Attack

As described so far, the nonlinear invariant attack leaks at most one bit ofthe secret key However, if a block cipher that is vulnerable to the nonlinearinvariant attack is used in well-known modes of operation, e.g., CBC, CFB,

OFB, and CTR, surprisingly, the attack can be turned into a ciphertext-only

message recovery attack.

Clearly, we cannot execute any ciphertext-only attack without some mation on the plaintexts When block ciphers are used under well-known modes

infor-of operation, the plaintext itself is not the input infor-of block ciphers and the input

10 Y Todo et al.

is rather initialization vectors Here we assume that an attacker can collect eral ciphertexts where the same plaintext is encrypted by the same (weak) keyand different initialization vectors We like to highlight that this assumption ismore practical not only compared to the chosen-ciphertext attack but also to theknown-plaintext attack In practice, for instance, assuming an application sendssecret password several times, we can recover the password practically Whilethe feasibility depends on the behavior of the application, our attack is highlypractical in this case

sev-Attack Against CBC Mode Figure1 shows the CBC mode, where h sage blocks are encrypted Let P j be the jth plaintext block, and C i

mes-j denotes

the jth ciphertext block by using the initialization vector IV i The attacker

aims at recovering the plaintext (P1, P2, , P h) by observing the ciphertext

(IV i , C i

1, C i

2, , C i

h ) Moreover, we assume that the block cipher E k is

vulner-able against the nonlinear invariant attack, i.e., there is a function g such that

g(x) ⊕ g(y) is constant, where x and y denote the input and output of the block

First, we explain how to recover the plaintext P1 by focusing on the first

block Since E k is vulnerable against the nonlinear invariant attack, there is a

function g such that g(P1⊕ IV i

1)⊕ g(C i

1) is constant for any i ∈ {1, 2, , N}.

If g would be a linear function,

is constant, and the attacker could only recover at most one bit of secret

infor-mation However, g is nonlinear in our attack Therefore, we can guess and determine the part of P1 that is involved in the nonlinear term of g More pre- cisely, assume as above – without loss of generality – that g is nonlinear in the first s inputs and linear in the last t inputs, i.e.

g :Fs

2× F t

2

Nonlinear Invariant Attack 11

0 = g(P1⊕ IV i)⊕ g(C i

1)⊕ g(P1⊕ IV j)⊕ g(C j

1)implies

f (x ⊕ a i)⊕ f(x ⊕ a j ) = (b i ⊕ b j)⊕ g(C i

1)⊕ g(C j

Assuming that the left side of Eq (1) randomly changes depending on x, that

is the left part of P1, we can recover one bit of information on P1 by using

two initialization vectors Similarly, we can recover N − 1 bits of P1 by using

N initialization vectors Note that we can usually efficiently recover these bits

by solving linear systems if the algebraic degree of f is small [22] We show

the specific procedure for SCREAM and Midori64 in Sects.4 and5, respectively

The relationship among (P1, IV, C1) is equivalent to that among (P i , C i−1 , C i)

Therefore, we can similarly guess and determine the part of P i from C i−1 and

C i for any of the plaintext blocks One interesting remark is that as long as westart to recover the message from the second block, the attack can be executedeven without the knowledge of the IV

Attacks Against Other Modes We can execute similar attack against the

CFB, OFB, and CTR modes

In the CFB mode, the hth ciphertext block C h is encrypted as

12 Y Todo et al.

where (E k)h (IV ) is h times multiple encryption Since the nonlinear invariant

property is iterative over an arbitrary number of rounds, the multiple tion is also vulnerable against the nonlinear invariant attack Therefore, we can

encryp-recover the part of P h from IV and C h

In the CTR mode, the hth ciphertext block C h is encrypted as

C h = E k (IV + h) ⊕ P h

Therefore, we can recover the part of P h from IV + h and C h

We start by considering the very general problem of finding nonlinear invariants.Namely, given any function

For simplicity, we focus on the case of identical S-boxes, but the more general

case can be handled in a very similar manner We denote by t the number of S-boxes and by n the size of one S-box Thus, the block size processed is n · t

bits With this notation, we consider one round R of an SPN

Nonlinear Invariant Attack 13

which can also be seen as

L :Fnt

2 → F nt

2 .

The round function R is given as the composition of the S-box layer and the

linear layer, i.e

R(x) = L ◦ S(x).

We would like to find nonlinear invariant g for R However, computing this

directly is difficult as soon as the block size is reasonable large For any function

F , let us denote by

U (F ) := {g : F m

2 → F2| g(x) = g(F (x)) ⊕ c}

the set of all nonlinear invariants for F , and it holds that

g ∈ (U(S) ∩ U(L)) ⊂ U(R).

In other words, functions that are invariant under both S and L are clearly

invariants for their composition R.

As we will explain next, computing parts of U ( S) ∩ U(L) is feasible, and

sufficient to automatically detect the weaknesses described later in the paper

The S-box Layer We start by investigating the S-box-layer Given the S-box

as a function

S :Fn

2 → F n

2

computing U (S) is feasible as long as n is only moderate in size.

Note that, for any function F , U (F ) is actually a subspace of Boolean tions To see this, note that given two Boolean functions f, g ∈ U(F ), it holds

func-(f ⊕ g)(x) = f(x) ⊕ g(x)

= (f (F (x)) ⊕ c) ⊕ (g(F (x)) ⊕ c )

= (f ⊕ g)(F (x)) ⊕ (c ⊕ c )

for any x Thus the sum, f ⊕g, is in U(F ) as well Moreover, the all-zero function

is in U (F ) for any F Therefore, any nonlinear invariant g S ∈ U(S) can actually

be described by a linear combination of basis elements of U (S) More precisely, let b1, , b d:Fn

2 → F2be a basis of U (S), then any g S ∈ U(S) can be written s

for suitable coefficients γ i in F2

To identify a nonlinear invariant g S ∈ U(S), the idea is to consider the

algebraic normal form (ANF) of g S , that is to express g S as

g S (x) = 

u∈F n2

λ u x u ,

14 Y Todo et al.

where λ u ∈ F2 are the coefficients to be determined and x u denotes

x u i

i Thekey observation is that Eq (2), for any fixed x ∈ F n

2, translates into one linear

(or affine) equation for the coefficients λ u, namely



u∈F n2

λ u (x u ⊕ S(x) u ) = c.

The ANF of (x u ⊕ S(x) u ) is computed for all u ∈ F n

2, and we can easily solve

the basis b1, , b d ∈ U(S) for n not too big AppendixA shows the algorithm

in detail In particular, for commonly used S-box sizes of up to 8 bits, the space

U (S) can be computed in less than a second on a standard PC.

So far, we have considered only a single S-box, and it still needs to be cussed how those results can be translated into the knowledge of invariants forthe parallel execution of S-boxes, i.e forS Again, for a layer of S-boxes S com-

dis-puting U ( S) directly using its ANF is (in general) too expensive However, we

can easily construct many elements in U ( S) from elements in U(S) as

summa-rized in the following proposition

Proposition 1 Let g i ∈ U(S), for i ∈ {1, , t} be any set of invariants for the S-box S Then, any function of the form

with α i ∈ F2 is in U (S), that is an invariant for the entire S-box layer The set

of function form a subspace of U (S) of dimension d ∗ t where d is the dimension

of U (S), and t is the number of parallel S-boxes.

We denote this subspace of invariants forS by U (S), and U (S) ⊂ U(S).

It turns out that, in general, many more elements are contained in U ( S)

than those covered by the construction above We decided to shift those details,which are not directly necessary for the understanding of the attacks presented

in Sects.4 and5to the end of the paper, in Sect.6

The Linear Layer For the linear layer computing U (L) using its ANF seems

again difficult But, as stated above, we focus on

g ∈ (U(L) ∩ U (S)) ⊂ (U(L) ∩ U(S)) ⊂ U(R),

and computing U (L) ∩ U (S) is feasible in all practical cases.

Recall that any nonlinear invariant g ∈ U(S) can actually be described by a

linear combination of basis of U (S) as

Nonlinear Invariant Attack 15

As any f in U (S) is itself a direct sum of elements in U(S), it can be written

with β i,j ∈ F2 Computing those coefficients β i,j can again be done by

solv-ing linear system, as any fixed x ∈ (F n

2)t results in a linear equation for thecoefficients by using

f (x) = f (L(x)).

As long as the dimension of U (S), i.e the number of unknowns, is not too large,

this again can be computed within seconds on a standard PC

Experimental Results When the procedure explained above was applied to

the ciphers SCREAM and Midori, it instantaneously detected possible attacks.Actually, as we will explain next, there is a common structural reason why nonlinear invariant attacks are possible on those ciphers

3.2 Structural Weakness with Respect to Nonlinear Invariant

Let us consider linear layers which are actually used in the LS-designs [9] (cf.Sect.4) and also in any AES-like cipher that uses a binary diffusion matrix as

a replacement for the usual MixColumns operation Then, we consider a linear

layer that can be decomposed into the parallel application of n identical t × t

binary matrices M The input for the first t × t matrix is composed of all the

first output bits of the t S-boxes, the input for the second matrix is composed

of all the second output bits of the S-boxes, etc

Here, when M is an orthogonal matrix, that is if

x, y = xM, yM ∀ x, y, any quadratic nonlinear invariant for the S-box can be extended to a nonlinear invariant of the whole round function as described in Theorem1

Note that from a design point of view, taking M as an orthogonal matrix seems actually beneficial Thanks to the orthogonality of M , bounds on the

number of active S-boxes for differential cryptanalysis directly imply the samebounds on the number of active S-boxes for linear cryptanalysis

Theorem 1 For the SPN ciphers whose round function follows the construction

used in LS-designs, let M ∈ F t×t

2 be the binary representation of the linear layer and M is orthogonal Assume there is a nonlinear invariant g S for the S-box If

g S is quadratic, then the function

the input and output of L, respectively Moreover, x i [j] and y i [j] denotes the

jth bit of x i and y i , respectively For simplicity, let x T ∈ (F t

2)n and y T ∈

(Ft

2)n be the transposed input and output, respectively, where x T j ∈ F t

2 denotes

(x1[j], x2[j], , x t [j]) Then, it holds y i T = x T i ×M for all i ∈ {1, 2, , n} Since

the Boolean function g S is quadratic, the function is represented as

Therefore, the function g(x) =t

i=1 g S (x i ) is a nonlinear invariant for L 

Assuming that the matrix M is orthogonal, Theorem1 shows that there is a

nonlinear invariant for the round function L ◦ S if there is a quadratic function

which is nonlinear invariant for the S-box

The most interesting application of the nonlinear invariant attack is a cal attack against the authenticated encryption SCREAM and iSCREAM in thenonce-respecting model Both authenticated encryptions have 296 weak keys,and we then practically distinguish their ciphers from a random permutation.Moreover, we can extend this attack to a ciphertext-only attack

practi-Nonlinear Invariant Attack 17

4.1 Specification of SCREAM

SCREAM is an authenticated encryption and a candidate of the CAESAR petition [11] It uses the tweakable block cipher Scream, which is based on thetweakable variant of LS-designs [9]

com-LS-Designs LS-designs were introduced by Grosso et al in [9], and it is used todesign block ciphers We do not refer to the design rational in this paper, and weonly show the brief structure to understand this paper The state of LS-designs

is represented as an s ×  matrix, where every element of the matrix is only one

bit, i.e., the block length is n = s × The ith round function proceeds as follows:

1 The s-bit S-box S is applied to  columns in parallel.

2 The -bit L-box L is applied to s rows in parallel.

3 The round constant C(i) is XORed with the state.

4 The secret key K is XORed with the state.

Figure2shows the components of a LS-design Let SB and LB be the S-box layer and L-box layer, respectively Then, we call the composite function (LB ◦ SB) a

LS-function Let x ∈ F s×

2 be the state of LS-designs Then x[i, ] ∈ F 

2 denotes

the row of index i of x, and x[, j] ∈ F s

2 denotes the column of index j of x Moreover, let x[i, j] be the bit in the (i + 1)th row and (j + 1)th column The S-box S is applied to x[, j] for all j ∈ [0, ), and the L-box L is applied to x[i, ]

for all i ∈ [0, s).

Fig 2 The components of a LS-design

Tweakable Block Cipher Scream Scream is based on a tweakable LS-design

with an 8×16 matrix, i.e., the block length is 8×16 = 128 bits Let x ∈ F8×16

the state of Scream, then the entire algorithm is defined as Algorithm1 Here S

and L denote the 8-bit S-box and 16-bit L-box, respectively The round constant

C(r) is defined as

C(r) = 2199 · r mod 216.

Fig 3 The σth step function of Scream

The binary representation of C(r) is XORed with the first row x[0, ] Scream uses an 128-bit key K and an 128-bit tweak T as follows First, the tweak is divided into 64-bit halves, i.e., T = t0t1 Then, every tweakey is defined as

T K(σ = 3i) = K ⊕ (t0t1),

T K(σ = 3i + 1) = K ⊕ (t0⊕ t1t1),

T K(σ = 3i + 2) = K ⊕ (t1t0⊕ t1).

Here, the x[i, ] contains state bits from 16(i − 1) to 16i − 1, e.g., x[0, ] contains

state bits from 0 to 15 and x[1, ] contains state bits from 16 to 31 Moreover,

Fig.3shows the step function, where SB and LB are the S-box layer and L-box

layer, respectively

Authenticated Encryption SCREAM. The authenticated encryptionSCREAM uses the tweakable block cipher Scream in the TAE mode [20] SCREAMconsists of three steps: associated data processing, encryption of the plaintextblock, and tag generation Since our attack exploits encryption of the plaintextblock, we explain the specification (see Fig.4) Plaintext values are encrypted

by using Scream in order to produce the ciphertext values, and all blocks use

T c = (N c00000000) If the last block is a partial block, its bitlength is

encrypted to generate a mask, which is then truncated to the partial block size

The most interesting application of the nonlinear invariant attack is a cal attack against the authenticated encryption SCREAM and iSCREAM in thenonce-respecting... quadratic nonlinear invariant for the S-box can be extended to a nonlinear invariant of the whole round function as described in Theorem1

Note that from a design point of view, taking M... S (x i ) is a nonlinear invariant for L 

Assuming that the matrix M is orthogonal, Theorem1 shows that there is a

nonlinear invariant for the round function