Practical Attacks on Full-round FRIET

. FRIET is a duplex-based authenticated encryption scheme proposed at EUROCRYPT 2020. It follows a novel design approach for built-in countermeasures against fault attacks. By a judicious choice of components, the designers propose the permutation FRIET-PC that can be used to build an authenticated encryption cipher denoted as FRIET-AE. And FRIET-AE provides a 128-bit security claim for integrity and confidentiality. In this paper, we research the propagation of pairs of differences and liner masks through the round function of FRIET-PC. For the full-round FRIET-PC, we can construct a differential distinguisher whose probability is 1 and a linear distinguisher whose absolute value of correlation is 1. Moreover, we use the differential distinguisher with probability 1 to construct a set consisting of valid tags and ciphertexts which are not created by legal users. This breaks FRIET-AE’s security claim for integrity and confidentiality. As far as we know, this is the first practical attack that threatens the security of FRIET-AE.


Introduction
Permutation-based cryptographic components are widely used in the design of ciphers. Firstly, permutations can be used in Sponge [BDPA08] mode to obtain hash functions. For example, KECCAK [BDPA11b] designed based on the permutation Keccak-f won the U.S. National Institute of Standards and Technology (NIST) Secure Hash Algorithm-3 (SHA3) competition in 2012. Secondly, permutations can be used in  mode to get block ciphers, such as Simpira-EM [GM16]. Thirdly, permutations can be used in Duplex [BDPA11a] construction to design authenticated encryption (AE) ciphers. For example, ASCON [DEMSb] designed in this strategy was selected in the final portfolio of Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR). Under this background, many cryptographic permutations are proposed, such as Alzette [BBdS + 20], Gimli [BKL + 17], Xoodoo [DHAK18], Frit [SBD + 18], FRIET [SBD + 20], etc.
For their good security and implementation advantages, permutation-based cryptographic components are also widely used in the design of lightweight ciphers. In March 2021, NIST Lightweight Cryptography Project (LWC) announced the ten finalists. It should be noted that 6 of 10 are permutation based. They are ASCON [DEMSa], Elephant [BCDM], ISAP [DEM + ], Photo-Beetle [BCD + ], SPARKLE [BBdS + ] and Xoodyak [DHP + ]. Because lightweight ciphers are often used in constrained environments (constraints on energy, area and memory size), they may be exposed to side channel attacks. In order to mitigate such attacks, at EUROCRYPT 2020, Simon et al. proposed a novel design method for ciphers with efficient fault-detecting implementations and a concrete authenticated encryption  [DEMS19] studied the algebraic properties of Frit and gave a key recovery attack against the full-round Frit-EM (the block cipher constructed by Frit in Even-Mansour mode). Then, Qin et al. [QDJZ19] gave some key-recovery attacks on the round-reduced Frit used in duplex authenticated encryption mode. By taking these attacks into account, a new permutation called FRIET-PC was designed. The designers evaluated the security of FRIET-PC against algebraic attack, slide attack, invariant subspace attack, non-linear invariant attack, differential attack, linear attack, etc. For example, by researching the properties of trail with low-weight input differences and linear masks, they obtained a 6-round differential trail with probability 2 −59 and an 8-round linear trail with correlation 2 −80 . At EUROCRYPT 2021, Liu et al. [LSL21] constructed a 12-round rotational differential-linear distinguisher with correlation 2 −117.81 . Then, Ito et al. [ISS + 21] evaluated the security of FRIET-PC against bit-wise cryptanalysis including rotational attack, bit-wise differential attack and integral attack. It should be noted that the above attacks do not threaten the security of FRIET-PC.

Our Contributions
FRIET-PC adopts the AND-Rotation-XOR construction. And the only nonlinear operation in FRIET-PC is bitwise AND. By fixing the differential probability and linear correlation of AND operation, we research the propagation of differences and linear masks through the round function of FRIET-PC. For any-round FRIET-PC, we construct a differential distinguisher whose probability is 1 and a linear distinguisher whose absolute value of correlation is 1. The comparison with the previous results is shown in Table 1.
Moreover, when FRIET-PC is used in FRIET, we get an authenticated encryption cipher denoted as FRIET-AE. And FRIET-AE provides a 128-bit security claim for integrity and confidentiality. Using the above differential distinguisher with probability 1, we can practically construct a set consisting of valid tags and ciphertexts which are not created by legal users. This breaks the claims for integrity and confidentiality of FRIET-AE. Therefore, the design of permutation FRIET-PC has defects.

Outline
This paper is organized as follows: Sect. 2 introduces differential and linear cryptanalysis and briefly describes the specification of FRIET permutation. In Sect. 3, we propose the differential and linear distinguishers for the full-round FRIET-PC. In Sect. 4, we give the practical attacks on the full-round FRIET-AE. Sect. 5 concludes the paper.

Notations
Notations used in this paper are defined in Table 2.
Bitwise OR of x and y x ∧ y Bitwise AND of x and y x · y The inner product of x and y x||y The concatenation of x and y x ≪ r Shift x to the left by r bits x ≪ r Rotation of x to the left by r bits x ≫ r Rotation of x to the right by r bits wt (x) The hamming weight of x ⌈c⌉ The nearest integer greater than or equal to c ⌊c⌋ The nearest integer smaller than or equal to c 0 n An n-bit vector with all entries equal 0 1 n An n-bit vector with all entries equal 1

Differential and Linear Cryptanalysis
Differential cryptanalysis [BS90] and linear cryptanalysis [Mat93] are two powerful methods which have been widely used in the security analysis of many symmetric ciphers.

Definition 1. (Differential [BS90]).
For a vectorial boolean function f : F n 2 → F m 2 , let α ∈ F n 2 and β ∈ F m 2 be the input and output differences of f . Then, the differential probability of [α, β] over f is defined as:

Definition 2. (Linear Approximation [Mat93]). For a vectorial boolean function
f : F n 2 → F m 2 , let α ∈ F n 2 and β ∈ F m 2 be the input and output linear masks of f . Then, the correlation of the linear approximation (α, β) over f is defined as Based on the above definitions, the trivial differential and linear approximation properties of basic operations (XOR, Branching, XOR-Constant) are introduced in [BS90,Mat93]. Here, we only introduce the differential and linear approximation properties of AND operation which will be used in this paper.

Differential Property 1 (AND) [SBD + 20].
Let z = f (x, y) be an AND function, where x ∈ F n 2 and y ∈ F n 2 are the input variables, and the output variable z is calculated as where α||β ∈ F 2n 2 and γ ∈ F n 2 are the differences of x||y and z, respectively.

Linear Property 1 (AND) [SBD + 20].
Let z = f (x, y) be an AND function, where x ∈ F n 2 and y ∈ F n 2 are the input variables, and the output variable z is calculated as z = x ∧ y. Then, where α||β ∈ F 2n 2 and γ ∈ F n 2 are the linear masks of x||y and z, respectively.
In order to apply differential (linear) cryptanalysis, cryptanalysts have to build a pair of differences (linear masks) for each round of a cipher, such that the output difference (linear mask) of a round matches the input difference (linear mask) of the next round. The differential probability (linear correlation) of the full-round cipher is computed by multiplying the differential probabilities (linear correlations) of each round. And we call a pair of differences (linear masks) valid when its differential probability (linear correlation) is nonzero. If a cipher behaves differently from a random cipher for differential (linear) cryptanalysis, this can be used to build a distinguishing or even a key-recovery attack.

Description of the Round Function of FRIET
FRIET [SBD + 20] is an authenticated encryption scheme with built-in fault detection mechanisms proposed by Simon et al. at EUROCRYPT 2020. Its fault detection ability comes from its underlying permutation, which is designed based on the so-called code embedding approach. The core permutation FRIET-P employed in FRIET operates on 4 limbs (a, b, c, d) ∈ F 4×128 2 . The permutation FRIET-P is an iterative design with its round function f rci (a, b, c, d) visualized in the left part of Figure 1, where rc i is the round constant for the i-th round listed in Table 3.
By design, the round function Thus, the permutation FRIET-P = f rc23 • f rc22 • · · · • f rc0 also has this property. Consequently, faults will be detected if output does not have code-abiding property when the input state has code-abiding property. If we ignore the limb d of FRIET-P, we will obtain a new Table 3: Round constants rc i in hexadecimal notation i 0 1 2 3 4 5 rc i 0x1111 0x11100000 0x1101 0x10100000 0x101 0x10110000 i 6 7 8 9 10 11 rc i 0x110 0x11000000 0x1001 0x100000 0x100 0x10000000 i 12 13 14 15 16 17 rc i 0x1 0x110000 0x111 0x11110000 0x1110 0x11010000 i 18 19 20 21 22 23 rc i 0x1010 0x1010000 0x1011 0x1100000 0x1100 0x10010000 permutation FRIET-PC visualized in the right part of Figure 1. Since a distinguisher for the permutation FRIET-PC directly translates to a distinguisher for FRIET-P, we focus on the permutation FRIET-PC. And we describe the procedure of FRIET-PC permutation as shown in Algorithm 1.

Differential and Linear Distinguishers for the Full-Round FRIET-PC
FRIET-PC only has four operations: Rotation, XOR, XOR-Constant and AND. Bitwise AND is the only nonlinear operation in FRIET-PC. If we can effectively control the propagations of differences and linear masks through bitwise AND operation, we can obtain pairs of differences with high probabilities and linear masks with high correlations.

A Differential Distinguisher for the Full-Round FRIET-PC
Because Rotation, XOR, XOR-Constant are all linear operations, the differential probability of a valid pair of differences for these three operations is 1. By Differential Property 1 (AND), the differential probability of a valid pair of differences for bitwise AND operation a ← a ⊕ ((b ≪ 36) ∧ (c ≪ 67)) 8: end for 9: return (a, b, c) is determined by wt (α ∨ β), where α and β are the input differences of the bitwise AND operation. By controlling the value of wt (α ∨ β) effectively, we may obtain a pair of differences with high probability.
Next, we will research the differential property of the 2-round FRIET-PC.
Thus, we obtain a differential distinguisher with probability 1 for the full-round FRIET-PC. In order to help readers understand the differential distinguisher better, we show the propagation of it through 1-round FRIET-PC in the left part of Figure 2.

A Linear Distinguisher for the Full-Round FRIET-PC
Because Rotation, XOR, XOR-Constant are all linear operations, the linear correlation of a valid pair of linear masks for these three operations is 1 or -1. By Linear Property 1 (AND), the linear correlation of a valid pair of linear masks for bitwise AND operation is determined by wt (γ), where γ is the output linear mask of the bitwise AND operation. By controlling the value of wt (γ) effectively, we may obtain pairs of linear masks with high correlations. Lemma 3. Let Γ in = (α, β, γ) and Γ out = (α ′ , β ′ , γ ′ ) be the input and output linear masks of the i-th round function (a ′ , b ′ , c ′ ) = FRIET-PC i (a, b, c). The absolute value of correlation Cor (Γ in , Γ out ) is 1 if and only if Proof. By the round function of FRIET-PC, we have On one hand, if the absolute value of Cor (Γ in , Γ out ) is 1. According to Linear Property 1 (AND), the input linear mask and output linear mask of AND operation should be 0 128 ||0 128 and 0 128 , respectively. Because ((b ′ ≪ 36) ∧ (c ′ ≪ 67)) only appear in a ′ , we have α ′ = 0. Then, We know that the above Γ in · (a, b, c The necessity is proved. On the other hand, if the input linear mask (α, β, γ) and output linear mask (α ′ , β ′ , γ ′ ) satisfy Eq. (13), the linear correlations through all the basic operations (Rotation, XOR, XOR-Constant, AND) in the round function of FRIET-PC is 1 or -1. Thus, the absolute value of the linear correlation is 1. The sufficiency is proved.
Thus, we obtain a linear distinguisher whose absolute value of correlation is 1 for full-round FRIET-PC. In order to help readers understand the linear distinguisher better, we show the propagation of it through 1-round FRIET-PC in the right part of Figure 2.

Description of FRIET-AE
When FRIET-P is used in FRIET authenticated encryption scheme, FRIET-AE is obtained. It is based on duplex construction and its mode SpongeWrap [BDPA11a], but some modifications are made. FRIET-AE limits the key length to 160 bits and takes tag length and block length as 128 bits. Let T ag ∈ F 128 2 and C be the tag and ciherertexts which are generated by FRIET-AE (K, N, AD, P ), where K is the key, N is the nonce, AD is the associate data, P is the plaintexts. Because the block length is 128 bits, all the input data are split into 128-bit blocks and the last block may be shorter. Take K for an example, let |K| denote the bit length of K. The number of blocks of K is I k = |K| 128 , denoted as K = K I k −1 || . . . ||K 1 ||K 0 . And the number of blocks of K whose length is 128 bits is J k = |K| 128 . In the same way, we can get the values of I n , I ad , I p and J n , J ad , J p for N, AD, P , respectively. In order to describe the FRIET-AE more concisely, without affecting the correctness, we assume that all the plaintext blocks are 128 bits. That is I p = J p .
In this paper, we do not study its fault-resistance ability. Thus, the input and output of permutation FRIET-PC are 3 limbs (384 bits), denoted as (a ′ , b ′ , c ′ ) = F (a, b, c). The function of getting the ciphertext or tag by squeezing the state is denoted as a = S (a, b, c). The detailed encryption procedure of FRIET-AE is showed in Figure 3 and Algorithm 2, where 0 * means adding a bit vector whose binary entries are all 0 until the length of the entire vector reaches 384 bits.

The Method of Breaking Full-round FRIET-AE
Under the assumption that adversaries respect the nonce requirement for the diversifier and do not get access to deciphered ciphertexts of cryptograms with an invalid tag, FRIET-AE claims a 128-bit security of integrity and confidentiality. If adversaries can construct a new cryptogram data which has not ever been created by legal users and the cryptogram data can be successfully decrypted by a legal user, the integrity is broken. If keystream (keyed duplex output) can be predicted or a cryptogram can be decrypted by adversaries, the confidentiality is broken. By using the differential distinguisher with probability 1 in Corollary 1, we design an algorithm to generate a set consisting of cryptograms data which are not created by legal users. We illustrate the whole framework in Algorithm 3.
Algorithm 3 Attack (K, N, AD, P, C, T ag) Input: (K, N, AD, P, C, T ag) Output: A set Ω consisting of valid cryptograms data Output: The output set Ω is composed of other valid cryptogram data different from (K, N, AD, P, C, T ag).
Line 1: Let Ω be empty set. f lag = 0 means that the difference of current state is (0 128 , 0 128 , 0 128 ), while f lag = 1 means the difference is (1 128 , 0 128 , 0 128 ). Same as the definition in Section 4.1, J k , J n , J ad , J p denotes the number of 128-bit blocks of K, N, AD, P , respectively.
Line 2-36: The bit vectors u k , u n , u ad , u p are used to indicate whether the difference 1 128 is introduced to some blocks of K, N, AD, P , respectively. Take K for example, u k [j k ] = 1 means the difference between blocks K j k and K ′ j k is 1 128 and u k [j k ] = 0 means the difference is 0 128 . Because the generated cryptogram data should be different from the input cryptogram data (K, N, AD, P, C, T ag), Line 3 is added. According to Section 3.1, both the differential probabilities of (0 128 , 0 128 , 0 128 ) → (0 128 , 0 128 , 0 128 ) and (1 128 , 0 128 , 0 128 ) → (1 128 , 0 128 , 0 128 ) over the full-round FRIET-PC are 1. Thus, the value of K ′ and current difference of state can be obtained by Line 9-10. In the same way, we can get the values of N ′ , AD ′ , C ′ , T ag ′ .
Line 37: All the generated cryptogram data are added into the set Ω. All the cryptogram data (K ′ , N ′ , AD ′ , P ′ , C ′ , T ag ′ ) ∈ Ω have valid tags and ciphertexts which are not created by legal users. It should be noted that they belong to different attack conditions. We will have a classified discussion.
Related-Key Attack. According to Algorithm 3, we only introduce difference of the form 1 128 ||0 128 ||0 128 to the internal state. When there is difference in K, the number of elements in the set Ω is 2 J k − 1 × 2 Jn × 2 J ad × 2 Jp .

Single-Key Attack.
If there is no difference in K, under the condition that nonce cannot be reused, we must introduce differences into N . The number of elements in the set Ω is 2 Jn − 1 × 2 J ad × 2 Jp . If adversaries have the ability of reusing nonce, the number of elements in the set Ω is 2 Jn × 2 J ad × 2 Jp − 1.
According to the above analysis, we can construct valid tags and ciphertexts which are not created by legal users. And the single-key attack without reusing nonce fully complies with the security assumption of FRIET-AE. This breaks the integrity and confidentiality security claims. And our attack can be conducted in practical time.

Conclusions
In this paper, differential and linear distinguishers for the full-round FRIET-PC are proposed. Using the differential distinguisher with probability 1, we proposed an algorithm which can generate a set consisting of valid tags and ciphertexts which are not created by legal users. This breaks the integrity and confidentiality security claims of FRIET-AE. It should be noted that our attack does not recover the secret key of FRIET-AE. How to give a key-recovery attack needs further research.