18
views
0
recommends
+1 Recommend
0 collections
    0
    shares
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Integral Distinguishers of the Full-Round Lightweight Block Cipher SAT_Jo

      1 , 1 , 2 , 3 , 4
      Security and Communication Networks
      Hindawi Limited

      Read this article at

      Bookmark
          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.

          Abstract

          Integral cryptanalysis based on division property is a powerful cryptanalytic method whose range of successful applications was recently extended through the use of Mixed-Integer Linear Programming (MILP). Although this technique was demonstrated to be efficient in specifying distinguishers of reduced round versions of several families of lightweight block ciphers (such as SIMON, PRESENT, and few others), we show that this method provides distinguishers for a full-round block cipher SAT_Jo. SAT_Jo cipher is very similar to the well-known PRESENT block cipher, which has successfully withstood the known cryptanalytic methods. The main difference compared to PRESENT, which turns out to induce severe weaknesses of SAT_Jo algorithm, is its different choice of substitution boxes (S-boxes) and the bit-permutation layer for the reasons of making the cipher highly resource-efficient. Even though the designers provided a security analysis of this scheme against some major generic cryptanalytic methods, an application of the bit-division property in combination with MILP was not considered. By specifying integral distinguishers for the full-round SAT_Jo algorithm using this method, we essentially disapprove its use in intended applications. Using a 30-round distinguisher, we also describe a subkey recovery attack on the SAT_Jo algorithm whose time complexity is about 2 66 encryptions (noting that SAT_Jo is designed to provide 80 bits of security). Moreover, it seems that the choice of bit-permutation induces weak division properties since replacing the original bit-permutation of SAT_Jo by the one used in PRESENT immediately renders integral distinguishers inefficient.

          Related collections

          Most cited references22

          • Record: found
          • Abstract: not found
          • Book Chapter: not found

          Linear Cryptanalysis Method for DES Cipher

            Bookmark
            • Record: found
            • Abstract: not found
            • Book Chapter: not found

            The block cipher Square

              Bookmark
              • Record: found
              • Abstract: not found
              • Book Chapter: not found

              Integral Cryptanalysis

                Bookmark

                Author and article information

                Contributors
                Journal
                Security and Communication Networks
                Security and Communication Networks
                Hindawi Limited
                1939-0122
                1939-0114
                September 18 2021
                September 18 2021
                : 2021
                : 1-9
                Affiliations
                [1 ]Guilin University of Electronic Technology, Guilin 541004, China
                [2 ]State Key Laboratory of Cryptology, P. O. Box 5159, Beijing 100878, China
                [3 ]Technical University of Denmark, DTU Compute, Kongens Lyngby, Denmark
                [4 ]University of Primorska, FAMNIT, Koper, Slovenia
                Article
                10.1155/2021/5310545
                e898a7ef-47df-4a56-9e60-33ebf62de459
                © 2021

                https://creativecommons.org/licenses/by/4.0/

                History

                Comments

                Comment on this article