Cryptanalysis of Round-Reduced Fantomas, Robin and iSCREAM

Abstract

In this work, we focus on LS-design ciphers Fantomas, Robin, and iSCREAM. LS-designs are a family of bitslice ciphers aimed at efficient masked implementations against side-channel analysis. We have analyzed Fantomas and Robin with a technique that previously has not been applied to both algorithms or linear cryptanalysis. The idea behind linear cryptanalysis is to build a linear characteristic that describes the relation between plaintext and ciphertext bits. Such a relationship should hold with probability 0.5 (bias is zero) for a secure cipher. Therefore, we try to find a linear characteristic between plaintext and ciphertext where bias is not equal to zero. This non-random behavior of cipher could be converted to some key-recovery attack. For Fantomas and Robin, we find 5 and 7-round linear characteristics. Using these characteristics, we attack both the ciphers with reduced rounds and recover the key for the same number of rounds. We also apply linear cryptanalysis to the famous CAESAR candidate iSCREAM and the closely related LS-design Robin. For iScream, we apply linear cryptanalysis to the round-reduced cipher and find a 7-round best linear characteristics. Based on those linear characteristics we extend the path in the related-key scenario for a higher number of rounds.

1. Introduction

Block ciphers are one of the essential cryptographic primitives. Our understanding of building secure block ciphers has greatly improved in the last 20 years. We already have well-understood methods in analyzing block ciphers with a possibly wide range of cryptanalytic tools and techniques including linear and differential attacks and their variants. Linear cryptanalysis is one of the powerful cryptanalytic techniques since its introduction by Matsui [1]. It is one of the major statistical attacks on block ciphers. Since its invention in the early 1990s, many variations and extensions have been considered. A statistical model to estimate the data complexity of linear attacks was introduced in [2]. In this paper, we focus on linear cryptanalysis of round-reduced block ciphers: Fantomas, Robin, and iSCREAM. LS-design [3] ciphers Fantomas and Robin belong to the family of bitslice ciphers proposed by Grosso et al. at FSE 2014. The designers specified two variants of LS-design, namely the involutive cipher Robin and the non-involutive cipher Fantomas. On the other hand, iSCREAM is also an LS-design cipher and uses a tweakable block cipher introduced in Tweakable Authenticated Encryption (TAE) proposed by Liskov et al. [4] and closely related to Robin. Compared to the conventional block cipher, a tweakable block cipher (See Figure 1) takes an additional input called tweak.

The great importance of such algorithms has been manifested by the announcement of a public call to the CAESAR competition [5]. This contest received worldwide attention when it started in 2014. In the first round, 57 algorithms submitted to competition were chosen, with iSCREAM being one of them. We have analyzed all these ciphers with linear cryptanalysis techniques. In this paper, we construct 5-round linear approximations for Fantomas, and 7-round linear approximations for Robin. Using these approximations, we build the 5- and 7-round key-recovery attack for Fantomas and Robin, respectively. We also build 7-round linear characteristics for iSCREAM and based on those linear characteristics we extend the path in the related-key scenario for a greater number of rounds.

2. Related Work

The designers provided some security evaluations (

Table 1. Security evaluations provided by designers of Fantomas and Robin.

Cryptanalysis	Fantomas	Robin	Reference
Linear	⩽8	⩽8	[3]
Differential	⩽8	⩽8	[3]
Integral	4	4	[3]
Boomerang	<5	<5	[3]
Impossible differentials	<3	<3	[3]
Truncated Differential	⩽6	9	[3]

) of Fantomas and Robin. The table shows the maximum number of rounds (upper bound) where the attack could be possible (but not necessary).

Shen et al. presented a paper [6], where they did previously impossible differential cryptanalysis of Fantomas and Robin and constructed 4-round impossible differential and attack 6 rounds of ciphers. As mentioned by authors it was the first impossible differential attack on Fantomas and Robin. Dwivedi et al. presented papers [7,8] where they did linear, differential-linear, impossible differential and related-key cryptanalysis of round-reduced Scream, which is closely related to LS-design Fantomas. They presented a key-recovery attack of 5-round with linear and differential-linear, 4-round with impossible differential and 10 rounds with the related-key scenario.

Leander et al. presented a paper [9], where they introduced a generic algorithm to detect invariant subspaces and with this technique, they cryptanalyzed Robin and iSCREAM. Their attack is on a full cipher yet in a weak or related-key model. A year later, at ASIACRYPT 2016, an attack called the non-linear invariant attack was introduced [10]. In that paper, the authors showed how to distinguish the full version of tweakable block cipher iSCREAM, Scream and Midori64 in a weak key setting. For the authenticated encryption schemes SCREAM and iSCREAM, the plaintext can be practically recovered only from the ciphertext in the nonce-respecting setting.

In the context of block cipher and image encryption cipher cryptanalysis, different cryptanalytic techniques applied to such ciphers, we have seen some strong papers recently [11,12,13,14,15,16,17,18,19,20]. These authors applied various famous cryptanalytic techniques such as, linear, differential, related-key, impossible differential and produced results for the attack.

3. Descriptions of LS-Designs, Fantomas, Robin and iSCREAM

Fantomas and Robin are two specific LS-designs. The state is represented in the form of $s\times l$ matrix. Each element in the matrix represents a bit. The state x is updated by iterating $N_r$ rounds as shown in Algorithm 1. Fantomas is a non-involutive instance and Robin is an involutive instance. Both have SPN structure 128-bit block ciphers with 128-bit key size. The number of rounds in Fantomas and Robin is 12 and 16, respectively. The round function consists of the following layers:

• S-box layer: Applying the non-linear 8-bit S-boxes in parallel to each byte of state.
• L-box layer: Applying 16-bit L-box with branch number 8. The Fantomas and Robin use two different L-box (Figure 2).
• KC layer: The 128-bit key K and r-th round constant Con(r), XORed with the state.

Algorithm 1 LS-design with $l$-bit L-boxes and $s$-bit S-boxes $(n=l\times s)$.
1: $x=P\oplus K$;	▹x is a $s\times l$ bits matrix
2: for $0\le r<N_r$ do
3:     for $0\le i<l$ do	▹ S-box Layer
4:              $x[i,\ast ]=S\left[x\right[i,\ast \left]\right];$
5:     end for
6:     for $0\le j<s$ do	▹ L-box Layer
7:               $x[\ast ,j]=L\left[x\right[\ast ,j\left]\right];$
8:      end for
9:      $x=x\oplus K\oplus C\left(r\right)$;	▹ key addition and round constant
10: end for
11: return x

The designers of Fantomas and Robin directly evaluate the cipher security against the linear attack using a branch number of the linear diffusion layer (L-box) used in both ciphers. The branch number of L-box is defined with Equation (1). The highest branch number $\mathcal{B}\left(L\right)$ possible for a 16-bit L-box is 8. In the equation, x represents the input of L-box and $L\left(x\right)$ denotes the output value.

$$\mathcal{B}\left(L\right)=\underset{x\ne 0}{min}\left(\mid x\mid +\mid L\left(x\right)\mid \right)$$

(1)

Any two-round trail activates at least $\mathcal{B}\left(L\right)$ S-boxes. This gives the following 2-round (2r) trail and the maximum bias (see Equation (2)) of linear trails. Using this property, the best two-round linear trail is possible with bias $2^{-16}$ (or $2^{-64}$ for 8 rounds). However, note that designers do analysis based on 2-round best trails and it is not necessary that we can construct even 8-round trail using the best result of any 2-round trail (more details are referred to in [3]). In our analysis, we present linear trails for a given number of rounds. In the equation, r represents a round number, and $Pr$ is the probability of the linear trial.

$$P{r}_{lin}\left(2r\right)\le 2^{-16.r}$$

(2)

Descriptions of iSCREAM

iSCREAM is essentially a tweaked version of Robin. The tweakable block cipher iSCREAM is based on the LS-design variant [3] known as TLS-design. Compared to the conventional block cipher, a tweakable block cipher (See Figure 1) takes an additional input called tweak.

The state is represented as an $s\times l$ matrix, where each element of the matrix represents a bit. Therefore, a size of the block is $n=s\times l$ and iSCREAM has a block size of $8\times 16=128$ bits. The state x is updated by iterating $N_s$ steps, where each step has $N_r$ rounds as shown in Algorithm 2. Several steps can vary, and it serves as the security margin parameter. In the pseudo-code given below a plaintext is denoted by P, whereas TK (tweakey) is a simple linear combination of a tweak T and the master key K. In iSCREAM, both the key and the tweak are 128 bits long. iSCREAM uses the same L-box (Figure 2) used by Robin.

Algorithm 2 TLS-design with $l$-bit L-boxes and $s$-bit S-boxes $(n=l\times s)$.
1: $x=x\oplus TK\left(0\right)$	▹x is a $l\times s$ bits matrix
2: for $0<\sigma \le N_s$ do
3:     for $0<\rho \le N_r$ do
$r=2.(\sigma -1)+\rho$
4:           for $0\le j<l$do	▹ S-box Layer
5:                     $x[\ast ,j]=S\left[x\right[\ast ,j\left]\right];$
6:           end for
$x=x\oplus C_r$;	▹ Constant addition
7:            for $0\le i<s$do	▹ L-box Layer
8:                      $x[i,\ast ]=L\left[x\right[i,\ast \left]\right];$
9:            end for
10:    end for
$x=x\oplus TK\left(\sigma \right)$	▹ Tweakey addition
11: end for
12: return x

Two different tweak keys are used every two steps by:

$$\begin{array}{cc}\hfill TK(\sigma =2i)& =T\oplus K,\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill TK(\sigma =2i+1)& =(T\stackrel{16}{⋘}1)\hfill \end{array}$$

(4)

where $\stackrel{16}{⋘}$ is a rotation of one bit applied independently to all the (16-bit) rows of the state, $\sigma$ is the number of rounds, and i is the size of S-box.

4. Linear Approximation of Fantomas

The idea behind linear cryptanalysis is to build a linear characteristic that describes the relation between plaintext and ciphertext bits. Such a relationship should hold with probability 0.5 (bias $ϵ=0$) for a secure cipher. Therefore, we try to find a linear characteristic between plaintext and ciphertext where ($ϵ\ne 0$). This non-random behavior of cipher could be converted to some key-recovery attack.

For a better understanding of linear cryptanalysis, we refer the article A Tutorial on Linear and Differential Cryptanalysis [21]. To construct a linear approximation for Fantomas we proceed as follows. First, we construct the linear approximation table of Fantomas S-box, and from the Table, we choose the best linear approximation $i{n}_5=ou{t}_5$ (5th input bit of S-box equal to 5th output bit). It has the bias value equal to $2^{-3}$. For 5 rounds, the best linear approximation we found has the bias $2^{-49}$ with 24 active S-boxes. The linear approximation is shown in

Table 2. Linear approximation for the 5-round Fantomas. (Each column of the state is encoded as two hexadecimal numbers.).

00	00	00	10	00	00	10	00	00	00	00	00	00	10	10	00
↓
S-box Layer (active S-boxes: 4, bias: $2^{-9}$)
↓
00	00	00	10	00	00	10	00	00	00	00	00	00	10	10	00
↓
L-box Layer
↓
00	00	10	00	00	00	00	10	10	00	00	00	00	10	00	00
↓
S-box Layer (active S-boxes: 4, bias: $2^{-9}$)
↓
00	00	10	00	00	00	00	10	10	00	00	00	00	10	00	00
↓
L-box Layer
↓
00	00	00	00	00	10	00	10	00	00	10	00	10	00	00	00
↓
S-box Layer (active S-boxes: 4, bias: $2^{-9}$)
↓
00	00	00	00	00	10	00	10	00	00	10	00	10	00	00	00
↓
L-box Layer
↓
00	10	10	10	00	00	10	00	00	10	00	00	10	10	00	10
↓
S-box Layer (active S-boxes: 8, bias: $2^{-17}$)
↓
00	10	10	10	00	00	10	00	00	10	00	00	10	10	00	10
↓
L-box Layer
↓
10	00	00	00	00	00	00	10	00	10	10	00	00	00	00	00
↓
S-box Layer (active S-boxes: 4, bias: $2^{-9}$)
↓
10	00	00	00	00	00	00	10	00	10	10	00	00	00	00	00
↓
L-box Layer
↓
10	10	10	10	10	00	00	10	10	10	00	10	00	10	10	10

. We use non-involutive L-Box in case of Fantomas.

The number of plaintexts required for the key-recovery attack is typically proportional to ${ϵ}^{-2}$. We also investigate more rounds, but for more than 5 rounds our bias exceeds the limit. For 6 rounds approximation obtained by this method, we exceed the exhaustive search bound of $2^{128}$ as we know the size of the state is 128-bit. There are 16 columns in the Fantomas state and therefore 16 S-boxes in S-box layer. We examined $2^{16}$ initial states for our linear approximations and found the best trial. We use the same S-box linear approximation $(i{n}_5=ou{t}_5)$ for subsequent rounds. A total bias $ϵ$ is calculated using the formula introduced by Matsui in [1]. In the below equation, n is the size of L-box.

$${ϵ}_{1,2,3\dots 16}=2^{n-1}\prod _{i=1}^{i=16}{ϵ}_i$$

(5)

5-Round Key-Recovery Attack

We can recover the secret key by using the linear approximation we constructed for the cipher. Firstly, we encrypt the first S-box partially by guessing some key bits. Specifically, we XORed the plaintext bits with the guessed subkey and the result is run forward through the S-box. We need to guess these bits, which are needed to calculate the values of bits involved in the linear approximation.

Table 3. Initial and final states of the 4.5-round linear approximation.

00	00	00	10	00	00	10	00	00	00	00	00	00	10	10	00
↓
4.5 Rounds
↓
10	10	10	10	10	00	00	10	10	10	00	10	00	10	10	10

shows the details. For each subkey guess, we create a counter, and it is incremented once the linear approximation holds. A counter with a value which differs the most from a half of several plaintext/ciphertext pairs corresponds to the correct subkey guess.

The given 4.5-round approximation in Table 3 has a total bias $2^{-41}$, and the number of plaintext/ciphertext pairs needed to detect the bias is ${ϵ}^{-2}=2^{82}$. There are 4 active input bits placed in 4 columns of the state. Each column size is 8-bit, and therefore we need to guess $4\times 8=32$ key bits. The number of total possible combinations will be $2^{32}$. We check $2^{82}$ possible pairs of plaintext/ciphertext for each combination, and therefore the total complexity of our key-recovery attack is $2^{82+32}=2^{114}$. To recover more bits, we can repeat the procedure with different approximations, where input active bits are placed in a different position. With this complexity, we do not exceed the exhaustive search bound of $2^{128}$.

5. Linear Approximation of Robin

To construct a linear approximation for Robin we follow similar steps as we did for Fantomas. First, we construct the linear approximation table of Robin S-box, and from the table we choose the best linear approximation $i{n}_{4,5}=ou{t}_{4,5}$ (4th and 5th input bit of S-box equal to 4th and 5th output bit). It has the best bias value equal to $2^{-3}$. There are 16 columns in the Robin state and therefore 16 S-boxes in S-box layer. We examine $2^{16}$ initial states for our linear approximations. We use the same S-box linear approximation $i{n}_{4,5}=ou{t}_{4,5}$ for subsequent rounds. For 7 rounds the best linear approximation we found has the bias $2^{-51}$ with the total of 25 active S-boxes. The linear approximation is shown in

Table 4. Linear approximation for the 7-round Robin. (Each column of the state is encoded as two hexadecimal numbers.).

00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
L-box Layer
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00

. For the 8-round approximation obtained by this method, we exceed the exhaustive search bound $2^{128}$. Please note that the L-Box table we use in Robin is involutive and not same as Fantomas.

7-Round Key-Recovery Attack

We can recover the secret key by using the linear approximation we constructed for the cipher. First, we encrypt the first S-box partially by guessing some key bits, specifically we XORed the plaintext bits with guessed subkey and result is run forward through the S-box. We need to guess these bits, which are needed to calculate values of bits involved in the linear approximation.

Table 5. Initial and final states of the 6.5-round linear approximation.

00	00	00	00	00	00	00	18	00	00	00	00	00	00	00	00
↓
6.5 rounds
↓
18	18	18	18	18	18	18	00	00	00	00	00	00	00	00	00

shows the details. For each subkey guess we create a counter and it is incremented once the linear approximation holds. A counter with a value which differs the most from a half of several plaintext/ciphertext pairs corresponds to the correct subkey guess.

The given 6.5-round approximation in Table 5 has a total bias $2^{-49}$, and the number of plaintext/ciphertext pairs needed to detect the bias is ${ϵ}^{-2}=2^{98}$. There is 1 active input bit placed in 1 column of the state. Each column size is 8-bit, and therefore we need to guess $1\times 8=8$ key bits. The number of total possible combinations will be $2^8$. We check $2^{98+8}$ possible pairs of plaintext/ciphertext for each combination, and therefore the total complexity of our key-recovery attack is $2^{98+8}=2^{106}$. To recover more bits, we can repeat the procedure with different approximations, where input active bits are placed in different position.

6. Related-Key Linear Cryptanalysis of iSCREAM

We constructed the linear approximation table of iSCREAM S-box, and from the table we chose the best linear approximation $i{n}_{4,5}=ou{t}_{4,5}$ (4th and 5th input bit of S-box equal to 4th and 5th output bit). It has the best bias value equal to $2^{-3}$. There are 16 columns in the iSCREAM state and therefore 16 S-boxes in S-box layer. We examined $2^{16}$ initial states for our linear approximations. We use the same S-box linear approximation $i{n}_{4,5}=ou{t}_{4,5}$ for subsequent rounds. For 7 rounds the best linear approximation we found has the bias $2^{-51}$ with total of 25 active S-boxes. The linear approximation is shown in the

Table 6. Linear approximation for the 7-round iSCREAM. (Each column of the state is encoded as two hexadecimal numbers.).

00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
L-box Layer
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
L-box Layer
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
L-box Layer
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
S-box Layer (active S-boxes: 7, bias: $2^{-15}$)
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00
↓
L-box Layer
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
S-box Layer (active S-boxes: 1, bias: $2^{-3}$)
↓
00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	18
↓
L-box Layer
↓
18	18	18	18	00	00	00	00	18	18	18	00	00	00	00	00

. For 8 round approximation obtained by this method, we exceed the exhaustive search bound $2^{128}$. Please note that the L-Box table we use in iSCREAM is involutive and same as Robin.

Related-Key Cryptanalysis

In the Table 6, we found the best linear path of iSCREAM. In this section, we add a few more rounds before the linear path in a related-key scenario. In the case of iSCREAM, which uses the tweakey scheduling algorithm, consider that we have a full control over the tweak T. If x represent the state after each two rounds, our equations for 4 rounds of related-key are:

$$\begin{array}{cc}\hfill x& =P\oplus TK\left[0\right]=P\oplus T\oplus K\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill x& =x\oplus TK\left[1\right]=x\oplus (T\stackrel{16}{⋘}1)\hfill \end{array}$$

(7)

In the above equations, P is plaintext, $TK$ is tweakey, and K is the key. To connect the related-key path with the linear path, we need the desired output after 4 rounds of the related-key.

Consider we need an output V before the start of linear part. We need such an equation for the first 4 rounds of the related-key attack where the plaintext difference after 2 rounds is 0 and becomes V after 4 rounds. Such an equation is possible because we have full control over plaintext P and tweak T. Therefore, our equations become:

$$x=P\oplus T\oplus K=0$$

(8)

$$x=x\oplus (T\stackrel{16}{⋘}1)=V$$

(9)

In our case, the linear path starts with the initial value 0000000000000001, and therefore the value of V required at the end of the related-key path will be equal to 0000000000000001. We have full control over plaintext and if we choose the plaintext $P=T\oplus K$, then clearly $P\oplus T\oplus K=0$ and Equation (8) satisfy. Also, if we chose the value of T = 1,000,000,000,000,000, it will satisfy Equation (9). Once we get the desired output from the related-key path, we add the linear path for 7 rounds. We have created 4 rounds of the related-key path along with the 7 rounds of the linear path and cover total 11 rounds. The bias for the approximation is $ϵ=2^{-51}$, and we need ${ϵ}^{-2}=2^{102}$ chosen plaintexts to detect the bias. There is 1 active input bit placed in the column of the state (Table 6). Each column size is 8-bit, and therefore we need to guess $1\times 8=8$ key bits. The time complexity of the attack is $2^{8+102}=2^{110}$.

7. Conclusions

In this paper, we have analyzed LS-design ciphers Fantomas, Robin, and iSCREAM using linear cryptanalysis. Our findings help to quantify the security margin of these ciphers against linear attacks. We conclude the analyzed ciphers have enough security margin against this attack for a full number of rounds. We have not used any standard automatic heuristic tools to calculate linear characteristics for each cipher. Our analysis provides state-of-the-art results but within a simpler framework. We believe it is essential to analyze such new, promising algorithms with a possibly wide range of cryptanalytic tools and techniques. Our work here helps to realize this goal.