Skip to content

Latest commit

 

History

History
13 lines (8 loc) · 2.15 KB

README.md

File metadata and controls

13 lines (8 loc) · 2.15 KB

Cryptanalysis of 10-round SKINNY-128-128 (SKINNY 2018-2019 Competition)

This repository contains information about cryptanalysis of the tweakable block cipher SKINNY-128-128 reduced to 10 rounds. This target was suggested by SKINNY 2018-2019 Cryptanalysis Competition. The competition provides an encryption of a known e-book containing 220 blocks. The goal is to recover the secret key.

writeup.pdf describes the attack used to break the 10-round version of SKINNY-128-128. In brief, it is a second-order truncated differential attack. Equivalently, it is an integral cryptanalysis. For particular quadruples of plaintexts differing only in the last two bytes, the 10-th byte of the state after 6 encryption rounds xor-sums to zero. This state byte can be computed from the ciphertext and 6 bytes of the master key. These bytes of the key can be found by an exhaustive search that verifies the zero-sum property for several such plaintext-ciphertext quadruples. It requires about 248 computations.

There are the following scripts in this repository:

  1. $ pypy find_2nd_diff.py data/skinny128_10_rounds.bin 2 finds all second-order differences in the plaintext pool, with at most 2 active bytes (runs in less than a minute).
  2. $ pypy find_zerosum.py data/2nd_diffs_128_10_maxactive2 6f finds all zero-sum properties after 6 full rounds of SKINNY-128-128 by performing an empirical check with random keys. It uses the quadruples produced by the first script. It also outputs all ciphertext quadruples with zerosum at 10-th byte of the state, in a C-style format. It can be copy-pasted into the brute.c file.
  3. brute.c performs an optimized exhaustive search with verification based on the zerosum property. It outputs the correct 6 bytes of the master key. (requires a few days on several cores)

The recovery of the other 10 bytes of the key can be done in a similar way, but with searches over small chunks of the key. It can be fully automated, but currently I haven't implemented it and recovered the rest of the key by manual analysis.