At ToSC 2021, Sakamoto et al. proposed Rocca, an AES-based encryption scheme, for Beyond 5G applications. They presented a class of round functions that achieved impressive performance in software by improving the design strategy for constructing an efficient AES-based round function that was proposed by Jean and Nikolić at FSE 2016. In this paper, we revisit their design strategy for finding more efficient round functions. We add new requirements further to improve speed of Rocca. Specifically, we focus on the number of temporary registers for updating the round function and search for round functions with the minimum number of required temporary registers. As a result, we find a class of round functions with only one required temporary register, while round function of Rocca requires two temporary registers. We show that new round functions are significantly faster than that of Rocca on the latest Ice Lake and Tiger Lake architectures. We emphasize that, regarding speed, our round functions are optimal among the Rocca class of round functions because the search described in this paper covers all candidates that satisfy the requirements of Rocca.

This paper investigates the security of KCipher-2 against differential attacks. We utilize an MILP-based method to evaluate the minimum number of active S-boxes in each round. We try to construct an accurate model to describe the 8-bit truncated difference propagation through the modular addition operation and the linear transformation of KCipher-2, respectively, which were omitted or simplified in the previous evaluation by Preneel et al. In our constructed model, the difference characteristics neglected in Preneel et al.'s evaluation can be taken into account and all valid differential characteristics can be covered. As a result, we reveal that the minimal number of active S-boxes is 25 over 15 rounds in the related IV setting and it is 17 over 24 rounds in the related IV-key setting. Therefore, this paper shows for the first time that KCipher-2 is secure against the related IV differential attack.

In this paper, we revisit related-key security of TWINE block cipher with 80-bit and 128-bit keys. Using an MILP-aided automatic search algorithm, we point out the previous evaluation of TWINE with a 80-bit key is wrong, and give a corrected evaluation result. Besides, we show a first security evaluation of TWINE with a 128-bit key in the related-key setting, which was infeasible due to the high computation cost in the original proposal.

Generalized Feistel Network (GFN) is widely used in block ciphers. CLEFIA is one of the GFN type-2 block ciphers. CLEFIA employs Diffusion Switching Mechanism (DSM) in its diffusion layer. DSM improves CLEFIA's security by increasing its number of active S-boxes, which is an indicator of security against differential and linear cryptanalyses. However, two matrices in DSM increase implementational cost. In this paper, we pursue the research question whether it is possible to achieve the same security as original CLEFIA with only one matrix without overhead in hardware. Our idea to answer the research question is applying byte-shuffling technique to CLEFIA. Byte-shuffling is an operation to shuffle 8-bit bytes. On the other hand, traditional GFN ciphers rotate 32-bit or larger words in their permutation layer. Since implementation of byte-shuffling is considered as cost-free in hardware, it adds no overhead in comparison with word rotation. Byte-shuffling has numerous shuffle patterns whereas word rotation has a few patterns. In addition, security property varies among the shuffle patterns. So, we have to find the optimal shuffle pattern(s) on the way to pursue the research question. Although one way to find the optimal shuffle pattern is evaluating all possible shuffle patterns, it is impractical to evaluate them since the evaluation needs much time and computation. We utilize even-odd byte-shuffling technique to narrow the number of shuffle patterns to be searched. Among numerous shuffle patterns, we found 168 shuffle patterns as the optimal shuffle patterns. They achieved full diffusion in 5 rounds. This is the same security as original CLEFIA. They achieved enough security against differential and linear cryptanalyses at 13th and 14th round, respectively, by active S-box evaluations. It is just one and two rounds longer than original CLEFIA. However, it is three and two rounds earlier than CLEFIA without DSM.

In spite of the research for a linear layer of Type-2 Generalized Feistel Network (Type-2 GFN) over more than 10 years, finding a good 32-branch permutation for Type-2 GFN is still a very hard task due to a huge search space. In terms of the diffusion property, Suzaki and Minematsu investigated the required number of rounds to achieve the full diffusion when the branch number is up to 16. After that, Derbez et al. presented a class of 32-branch permutations that achieves the 9-round full diffusion and they prove that this is optimal. However, this class is not suitable to be used in Type-2 GFN because it requires a large number of rounds to ensure a sufficient number of active S-boxes. In this paper, we present how to find a good class of 32-branch permutations for Type-2 GFN. To achieve this goal, we convert Type-2 GFN into a LBlock-like structure, and then we evaluate the diffusion property and the resistance against major attacks, such as differential, linear, impossible differential and integral attacks by an MILP. As a result, we present a good class of 32-branch permutations that achieves the 10-round full diffusion, ensures differentially/linearly active S-boxes of 66 at 19 round, and has the 18/20-round impossible differential/integral distinguisher, respectively. The 32-branch permutation used in WARP was chosen among this class.

Tweakable block cipher (TBC) is an extension of conventional block cipher. We study how to build a TBC based on generalized Feistel structure (GFS), a classical block cipher construction. While known dedicated TBC proposals are based on substitution-permutation network (SPN), GFS has not been used for building TBC. In particular, we take 64-bit GFS block cipher TWINE and try to make it tweakable with a minimum change. To find a best one from a large number of candidates, we performed a comprehensive search with a help of mixed integer linear programming (MILP) solver. As a result, our proposal TWINE is quite efficient, has the same number of rounds as TWINE with extremely simple tweak schedule.

In this paper, we explore the security against integral attacks on well-known stream ciphers SNOW 3G and KCipher-2. SNOW 3G is the core of the 3GPP confidentiality and integrity algorithms UEA2 and UIA2, and KCipher-2 is a standard algorithm of ISO/IEC 18033-4 and CRYPTREC. Specifically, we investigate the propagation of the division property inside SNOW 3G and KCipher-2 by the Mixed-Integer Linear Programming to efficiently find an integral distinguisher. As a result, we present a 7-round integral distinguisher with 23 chosen IVs for KCipher-2. As far as we know, this is the first attack on a reduced variant of KCipher-2 by the third party. In addition, we present a 13-round integral distinguisher with 27 chosen IVs for SNOW 3G, whose time/data complexity is half of the previous best attack by Biryukov et al.

Authenticated-Encryption with Associated-Data (AEAD) plays an important role in guaranteeing confidentiality, integrity, and authenticity in network communications. To meet the requirements of high-performance applications, several AEADs make use of AES New Instructions (AES-NI), which can conduct operations of AES encryption and decryption dramatically fast by hardware accelerations. At SAC 2013, Wu and Preneel proposed an AES-based AEAD scheme called AEGIS-128/128L/256, to achieve high-speed software implementation. At FSE 2016, Jean and Nikolić generalized the construction of AEGIS and proposed more efficient round functions. At ToSC 2021, Sakamoto et al. further improved the constructions of Jean and Nikolić, and proposed an AEAD scheme called Rocca for beyond 5G. In this study, we first evaluate the security of the initialization phases of Rocca and AEGIS family against differential and integral attacks using MILP (Mixed Integer Linear Programming) tools. Specifically, according to the evaluation based on the lower bounds for the number of active S-boxes, the initialization phases of AEGIS-128/128L/256 are secure against differential attacks after 4/3/6 rounds, respectively. Regarding integral attacks, we present the integral distinguisher on 6 rounds and 6/5/7 rounds in the initialization phases of Rocca and AEGIS-128/128L/256, respectively. Besides, we evaluate the round function of Rocca and those of Jean and Nikolić as cryptographic permutations against differential, impossible differential, and integral attacks. Our results indicate that, for differential attacks, the growth rate of increasing the number of active S-boxes in Rocca is faster than those of Jean and Nikolić. For impossible differential and integral attacks, we show that the round function of Rocca achieves the sufficient level of the security against these attacks in smaller number of rounds than those of Jean and Nikolić.