Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

  • Christoph Dobraunig Digital Security Group, Radboud University, Nijmegen, Netherlands
  • Yann Rotella Digital Security Group, Radboud University, Nijmegen, Netherlands; Laboratoire de Mathématiques de Versailles, UVSQ, CNRS, Université Paris-Saclay, Versailles, France
  • Jan Schoone Digital Security Group, Radboud University, Nijmegen, Netherlands
Keywords: cryptanalysis, NIST call for lightweight cryptography, Pyjamask, algebraic cryptanalysis, higher-order differentials, symmetric cryptography

Abstract

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

Published
2020-05-07
How to Cite
Dobraunig, C., Rotella, Y., & Schoone, J. (2020). Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96. IACR Transactions on Symmetric Cryptology, 2020(1), 289-312. https://doi.org/10.13154/tosc.v2020.i1.289-312
Section
Articles