Truncated Differential-Neural Key Recovery Attacks on Round-Reduced HIGHT
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsThe article discusses differential-neural cryptanalysis applied to the block cipher HIGHT. It introduces a novel approach using neural distinguishers, integrating deep learning techniques to differentiate between real and random ciphertexts. The main results include the development of a truncated neural distinguisher for HIGHT, which achieves accuracy comparable to that of full-block neural distinguishers. The study also presents a key recovery attack on a 15-round reduced version of HIGHT, demonstrating enhanced efficiency over traditional methods.
The organization of the article is generally good, with material appropriately distributed across relevant sections. The sections expected in an article of this type are present, and their order is logical.
Below are my suggestions for improving the article:
1. I recommend providing a brief explanation of "differential-neural cryptanalysis" and "neural distinguisher" at the beginning of the introduction to help readers unfamiliar with these concepts better understand the content.
2. Discuss the security analysis of HIGHT using traditional cryptanalytic methods to highlight the need for new approaches like differential-neural cryptanalysis.
3. I recommend evaluating the attack’s resistance to potential modifications in the cipher or variations in its parameters.
Author Response
First, I would like to express my gratitude for your efforts in reviewing my manuscript. Below is my point-to-point response to your comments.
- Comment 1: I recommend providing a brief explanation of "differential-neural cryptanalysis" and "neural distinguisher" at the beginning of the introduction to help readers unfamiliar with these concepts better understand the content.
- Response 1: Thank you for pointing this out. I have revised the first paragraph of the Introduction to include explanations of differential-neural cryptanalysis and the neural distinguisher, based on your comments. Specifically, I clarified that differential-neural cryptanalysis applies deep learning techniques to the traditional cryptanalysis method known as differential cryptanalysis. I explained that the neural distinguisher, a deep learning model trained on specific differential characteristics, is used to guess cryptographic keys through the statistical interpretation of its classification responses to the input ciphertexts. Additionally, I ensured that the key significance of these concepts is presented in accessible language for readers unfamiliar with them. These revisions correspond to lines 24-37 of the revised manuscript.
- Comment 2: Discuss the security analysis of HIGHT using traditional cryptanalytic methods to highlight the need for new approaches like differential-neural cryptanalysis.
- Response 2: Thank you for your insightful comment on presenting and emphasizing the results more clearly. In response, I have revised the comparative analysis of traditional cryptanalysis techniques applied to HIGHT. Specifically, I clarified that the most representative cryptanalysis results on HIGHT, such as the related-key impossible differential attack and the biclique attack, are based on different attack assumptions, making direct comparisons challenging. Therefore, I performed a complexity comparison by constructing a key recovery attack based on traditional differential cryptanalysis using previously known differential characteristics. Furthermore, in the newly added "Section 5. Discussion and Future Directions," I emphasized the need for new approaches, such as differential-neural cryptanalysis, and highlighted the significance of the proposed attack method. These revisions correspond to lines 350-372 of the revised manuscript.
- Comment 3: I recommend evaluating the attack’s resistance to potential modifications in the cipher or variations in its parameters.
- Response 3: Thank you for pointing this out. I agree with your comment that it would be beneficial to clearly present the resistance of this attack. In response, I conducted additional experiments, extending the neural distinguisher results from the originally presented 9 rounds to the 11th round, demonstrating that a meaningful neural distinguisher cannot be constructed beyond the 11th round. I restructured "Section 5. Discussion and Future Directions," where I outlined the maximum number of rounds to which the proposed attack can be applied, and explained that the practical resistance to the proposed attack begins at the 16th round. To briefly explain, the actual number of rounds in HIGHT is 32, indicating that it provides sufficient security against differential-neural cryptanalysis. If modifications to the algorithm were made, there would be no guarantee of resistance against other attack methods. Therefore, considering that HIGHT currently provides sufficient security against differential-neural cryptanalysis, It is considered that potential modifications to the algorithm are unnecessary. These revisions correspond to Table 3 and lines 279-296 and 372-392 of the revised manuscript.
Reviewer 2 Report
Comments and Suggestions for AuthorsPlease see the attachment.
Comments for author File: Comments.pdf
In my opinion, the use of English language is fit for a research article, although some small mistakes have been spotted. Hence, I suggest to review the article to fix them.
Author Response
First, I would like to express my gratitude for your efforts in reviewing my manuscript. Below is my point-to-point response to your comments.
- Comment 1: The introduction is well structured and the contributions are clearly exposed. Also, the introduction is well referenced, although I would suggest to add another reference at the end of the first paragraph about differential-neural cryptoanalysis, which has been published this current year (2024): https://doi.org/10.1109/TDSC.2024.3387662
- Response 1: Thank you for your comments on helping to better explain the trends. In addition to the paper you recommended, I have included other recent research results on differential-neural cryptanalysis in the first paragraph of the Introduction. These revisions correspond to lines 24-37 of the revised manuscript.
- Comment 2: Some minor errors have been found throughout those sections, which are exposed in the following sentences.
- Specifically, the outline of HIGHT algorithm in subsection 2.1 is adequate, although I would suggest to add a sentence aimed at non-expert readers in order to comment about what the signs <<< and \oplus mean in equation (1). Likewise, I would suggest to do the same for the signs appearing in line 96, namely \boxplus and \boxminus.
- In subsection 2.2, in line 125, there is a mention to Table 1 which is not done properly, as it appears in the text as ???.
- In subsection 3.1, the first word of the title is “Approache”. Please check if the word is in fact “Approach”.
- Also, in line 211, I suggest to add the word “subsection” in front of 2.3 in order to clarify it.
- Moreover, in line 223, I would suggest to substitute the word “first type” with “Type-1” in order to be coherent with the words ‘Type-2’ written in the same line and in Figure 4. Besides, as Type-1 and Type-2 appears capitalized most of the time, I suggest to capitalize them also at the end of line 257, at the beginning of line 258, at the beginning of line 260, at the end of line 260, at the beginning of line 278, and in the middle of line 284.
- In subsection 4.2, in line 310, please check if the exponent of 239 should be negative, as the exponents on the other side of the equal sign are negative.
- Also, in line 318, please check if the expression WK6 should be WK6. Likewise, in line 320, please check if the expression WK4 should be WK4.
- In line 328, please check if the expression 2 x 2^3 x 2^39 = 2^42 is correct.
- Response 2: Thank you for your very detailed correction comments. Based on your comments, we have made explanations for mathematical symbols, corrected typos, and ensured consistent terminology. The specific revisions are as follows:
- For unfamiliar readers, we added explanations for \oplus, <<<, \boxplus, and \boxminus, indicating that they represent XOR, 8-bit left rotation, 8-bit modular addition, and 8-bit modular subtraction, respectively. These revisions correspond to lines 87-89 and 98 in the revised manuscript.
- We corrected the references to tables to ensure they are properly linked. This change is reflected in line 127 of the revised manuscript.
- "Approache" was a typo and has been corrected to "approach." This revision corresponds to line 174 of the revised manuscript.
- The reference to the relevant section has been updated to “Section 2.3” using cross-referencing. This revision is in line 213 of the revised manuscript. Additionally, all other references to sections have been updated to use cross-referencing.
- "First type" was changed to "Type-1." Additionally, we used the symbols ND_{T1} and ND_{T2} to represent the neural distinguishers, making it easier to distinguish between the G and H functions and the neural distinguishers. This revision corresponds to lines 225 and 259-263 in the revised manuscript.
- The sign in that part should indeed be negative, and we have corrected this typo. This revision corresponds to line 326 of the revised manuscript.
- "WK6" and "WK4" were corrected to "WK_6" and "WK_4" respectively. This change is reflected in line 333 of the revised manuscript.
- The correct value is 2^{43}, and we have corrected this typo. This change corresponds to line 344 of the revised manuscript.
Reviewer 3 Report
Comments and Suggestions for AuthorsAbstract:
This paper introduces a novel approach to differential-neural cryptanalysis, specifically targeting the lightweight block cipher HIGHT. The authors propose a truncated neural distinguisher that can effectively differentiate ciphertexts using only partial plaintext information. This method not only achieves comparable accuracy to full-block analysis but also significantly improves the efficiency of key recovery attacks through a divide-and-conquer strategy. The paper presents the first differential-neural key recovery attack on a 15-round reduced HIGHT, demonstrating improved data and time complexity over traditional methods. The approach is expected to be applicable to other generalized Feistel-based ciphers, suggesting a promising direction for future research.
The paper is well-structured, with a clear explanation of the proposed truncated neural distinguisher and its application to key recovery attacks.
The concept of a truncated neural distinguisher is an innovative contribution to the field of differential-neural cryptanalysis. By focusing on partial information, the authors have opened a new avenue for research that could potentially be applied to a wide range of ciphers.
The paper provides a comprehensive review of related works, including previous attempts at differential-neural cryptanalysis and traditional cryptanalytic methods applied to HIGHT. This contextualizes the research within the existing body of knowledge and highlights the advancements made by the authors.
Strengths:
The paper presents a novel and effective method for key recovery attacks, which is a significant contribution to the field of cryptanalysis.
The proposed approach is not only innovative but also demonstrates practical improvements over existing methods.
The research is well-documented, with a clear methodology and thorough analysis of results.
Weaknesses:
The paper could benefit from a broader evaluation of the approach against other ciphers to fully establish the generalizability of the truncated neural distinguisher.
The potential real-world implications of the research could be explored in more depth to better understand the practical impact of the proposed attacks.
The paper might be improved by including a discussion on the potential impact of such attacks on the security of real-world IoT devices that use HIGHT or similar ciphers.
Author Response
First, I would like to express my gratitude for your efforts in reviewing my manuscript. Below is my point-to-point response to your comments.
- Comment 1: The paper could benefit from a broader evaluation of the approach against other ciphers to fully establish the generalizability of the truncated neural distinguisher.
- Response 1: I fully agree with your comment that extending the proposed attack method to other ciphers for generalization is highly meaningful. The truncated neural distinguisher proposed in this paper learns the output of specific parts of the cipher, and I also believe that this approach has considerable potential to be applied to other ciphers. However, for this approach to be applicable, operations must be performed independently on certain words within the cipher, and this can only be determined through detailed analysis of the internal processes of other cipher. Therefore, at this stage, generalization to other ciphers has not been performed. Nevertheless, the approach using the truncated neural distinguisher is significant in that it enables divide-and-conquer-based key recovery attacks, and I view its potential for expansion positively and have plans to implement it. Accordingly, I have outlined the significance of this paper and my future research plans in "Section 5. Discussion and Future Directions." These revisions correspond to lines 365-392 of the revised manuscript.
- Comment 2: The potential real-world implications of the research could be explored in more depth to better understand the practical impact of the proposed attacks.
- Response 2: Thank you for your insightful comment on presenting and emphasizing the results more clearly. As explained in Response 1, the attack proposed in this paper enables efficient analysis of more rounds than traditional differential cryptanalysis through the divide-and-conquer key recovery approach facilitated by the truncated neural distinguisher. This suggests that the existing security analysis results for other ciphers based on differential cryptanalysis could be further enhanced. I have emphasized this point in "Section 5. Discussion and Future Directions." These revisions correspond to lines 365-392 of the revised manuscript.
- Comment 3: The paper might be improved by including a discussion on the potential impact of such attacks on the security of real-world IoT devices that use HIGHT or similar ciphers.
- Response 3: Thank you for pointing this out. The attack proposed in this paper was performed on HIGHT reduced to 15 rounds, and it was found that the cipher has resistance to differential-neural cryptanalysis from the 16th round onward. Based on the resistance analysis, I indicated in "Section 5. Discussion and Future Directions" that the actual HIGHT, with 32 rounds, provides sufficient security against differential-neural cryptanalysis, and that devices using HIGHT are also considered secure. However, considering the potential for the proposed attack to be extended to other ciphers, I also suggested that further research is needed to explore its application to other block ciphers. These revisions correspond to lines 365-392 of the revised manuscript.
Round 2
Reviewer 3 Report
Comments and Suggestions for AuthorsThe authors addressed all the reviwers' comments