Key-Recovery Attacks on Full Kravatte

Authors

  • Colin Chaigneau University of Versailles Saint-Quentin-en-Yvelines (UVSQ) , Versailles, France
  • Thomas Fuhr Agence nationale de la sécurité des systèmes d'information (ANSSI), Paris, France
  • Henri Gilbert University of Versailles Saint-Quentin-en-Yvelines (UVSQ) , Versailles, France; Agence nationale de la sécurité des systèmes d'information (ANSSI), Paris, France
  • Jian Guo Nanyang Technological University, Singapore, Singapore
  • Jérémy Jean Agence nationale de la sécurité des systèmes d'information (ANSSI), Paris, France
  • Jean-René Reinhard Agence nationale de la sécurité des systèmes d'information (ANSSI), Paris, France
  • Ling Song Nanyang Technological University, Singapore, Singapore; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

DOI:

https://doi.org/10.13154/tosc.v2018.i1.5-28

Keywords:

Cryptanalysis, Higher Order Differential, Algebraic Attack, Filtered LFSR

Abstract

This paper presents a cryptanalysis of full Kravatte, an instantiation of the Farfalle construction of a pseudorandom function (PRF) with variable input and output length. This new construction, proposed by Bertoni et al., introduces an efficiently parallelizable and extremely versatile building block for the design of symmetric mechanisms, e.g. message authentication codes or stream ciphers. It relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer. The key is expanded and used to mask the inputs and outputs of the construction. Kravatte instantiates Farfalle using linear rolling functions and permutations obtained by iterating the Keccak round function.
We develop in this paper several attacks against this PRF, based on three different attack strategies that bypass part of the construction and target a reduced number of permutation rounds. A higher order differential distinguisher exploits the possibility to build an affine space of values in the cipher state after the compression layer. An algebraic meet-in-the-middle attack can be mounted on the second step of the expansion layer. Finally, due to the linearity of the rolling function and the low algebraic degree of the Keccak round function, a linear recurrence distinguisher can be found on intermediate states of the second step of the expansion layer. All the attacks rely on the ability to invert a small number of the final rounds of the construction. In particular, the last two rounds of the construction together with the final masking by the key can be algebraically inverted, which allows to recover the key.
The complexities of the devised attacks, applied to the Kravatte specifications published on the IACR ePrint in July 2017, or the strengthened version of Kravatte recently presented at ECC 2017, are far below the security claimed.

Downloads

Published

2018-03-01

How to Cite

Chaigneau, C., Fuhr, T., Gilbert, H., Guo, J., Jean, J., Reinhard, J.-R., & Song, L. (2018). Key-Recovery Attacks on Full Kravatte. IACR Transactions on Symmetric Cryptology, 2018(1), 5–28. https://doi.org/10.13154/tosc.v2018.i1.5-28

Issue

Volume 2018, Issue 1

Section

Articles

License

Copyright (c) 2018 Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jian Guo, Jérémy Jean, Jean-René Reinhard, Ling Song

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.