Open AccessAlgebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96
Author(s) -
Christoph Dobraunig,
Yann Rotella,
Jan Schoone
Publication year - 2020
Publication title -
iacr transaction on symmetric cryptology
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.715
H-Index - 10
ISSN - 2519-173X
DOI - 10.46586/tosc.v2020.i1.289-312
Subject(s) - block cipher , nist , cryptography , computer science , cryptanalysis , differential cryptanalysis , impossible differential cryptanalysis , theoretical computer science , cryptographic primitive , linear cryptanalysis , algebraic number , advanced encryption standard , computer security , encryption , higher order differential cryptanalysis , mathematics , cryptographic protocol , mathematical analysis , natural language processing
Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.