Side Channel Attacks (SCA) exploit physical information leakage from devices performing cryptographic operations, posing significant security threats. While SCA has been extensively studied in the context of block ciphers, similar analyses on stream ciphers and constructions like authenticated encryption are less explored. In this paper, we present a novel enhancement to existing SCA techniques based on the hamming weight model for stream ciphers. We have identified critical oversights in previous SCA attack models, allowing us to introduce additional inequalities that enhance the model’s effectiveness. For TRIVIUM and GRAIN-128-AEAD, we demonstrate that a practical state recovery attack can be achieved in significantly less time than existing attacks on the HW/32 model. Furthermore, we show that our improved model is capable of handling the HW/64 model and can recover the state even with noisy traces within a few hours. Additionally, we extend our model to the authenticated encryption schemes ACORN-128 v3 and ASCON-128a, demonstrating its broader applicability.

FUTURE, recently proposed in AFRICACRYPT 2022, is a lightweight Substitution Permutation Network (SPN) based block cipher with 10 rounds. In this paper, we propose two attack algorithms on FUTURE, both based on biclique structure. The first algorithm uses a biclique structure that is constructed at the ciphertext side between the output state of round 10 (i.e., the ciphertext) and the output state of round 6. The time and memory complexities of the attack are 2125.8875 and 232, respectively, while the maximum data complexity is upper bounded by 248. We further improve upon the attack complexity by introducing one more biclique between the output state of round 6 and the output state of round 2. In the improved attack algorithm, by targeted partitioning and sub-partitioning of the keyspace and by using the biclique structures, a valid key, plaintext, and ciphertext triplet can be obtained for the cipher with time and memory complexities 2125.5365 and 232, respectively, while the maximum data complexity is upper bounded by 248. This is the first work that shows the susceptibility of full round FUTURE under a biclique-based cryptanalysis technique. The second approach is novel in the sense that it uses multiple biclique structures instead of a single biclique structure as used in usual biclique attacks, and thus reduces the time complexity by a factor of 0.22 over the first attack.

Plantlet is a recent lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. This design paradigm receives attention as it is secure against generic time–memory–data trade-off attacks despite its small internal state size. One major motivation for Plantlet is to shore up the weaknesses of Sprout, which is another lightweight stream cipher from the same designers in IACR FSE 2015. In this paper, we observe that a full key recovery attack is possible using a restricted version of near collision attack. We have listed 38 internal state differences whose keystream differences have some fixed 0/1 pattern at certain positions and are efficient for our attack. An adversary in the online phase looks for any one of those 38 patterns in keystream difference. If found then with some probability, the adversary guesses the internal state difference. Afterwards, on solving a system of polynomial equations (formed by keystream bits) using a SAT solver, the adversary can recover the secret key if the guess is correct; otherwise, some contradiction occurs. After probability computations, we find that on repeating the experiment for a fixed number of times, the adversary can recover the secret key with expectation one. The time complexity of the whole process is 264.693 Plantlet encryptions which is 39 times faster than the previous best key recovery attack by Banik et al. in IACR ToSC 2019. We further suggest a countermeasure and its analysis to avoid our attacks. However, the complexity presented in this paper is dependent on the system architecture and implementation of the cipher.

In ASIACRYPT 2017, Rønjom et al. reported Yoyo tricks on generic rounds of SPNs. Then they applied it to AES and found the most effective way to distinguish AES in several rounds. In FSE 2018, Saha et al. distinguished AES in a known key setting up to 8 rounds. In AFRICACRYPT 2022, Gupta et al. published a block cipher Future, whose design is like AES with some tweaks. In this paper, we analysed Future by Yoyo trick in both secret key settings and known key settings. We show that in the secret key setting, one can distinguish Future upto five and six rounds with data complexity 29.83 and 258.83 respectively. We also demonstrate that with known key settings, one can distinguish Future with data complexity 215 for both six and eight rounds. Our attack is based on an adaptively chosen plaintext/ciphertext attack.

Subterranean 2.0, a NIST second round lightweight cryptographic primitive, was introduced by Daemen et al. in 2020. It has three modes of operation: Subterranean-SAE, Subterranean-deck, and Subterranean-XOF. So far, most of the existing practical-time implementable attacks on Subterranean-SAE fall under the nonce misuse setting scenario. In this paper, we present significantly improved Differential Fault Analysis on Subterranean-SAE and Subterranean-deck. We consider a more challenging framework of unknown fault injection round, and achieve improved execution time as well as data complexity over the best known fault attack available in the literature. We utilize deep neural networks and also correlation coefficient for generation of signatures and matching them. Two general frameworks are proposed for fault location identification assuming that fault injection round is unknown. Finally, we use a SATSAT solver to efficiently recover the embedded encryption key with no more than mathbf{5}5 distinct faults. Experimental results reveal that the total time (online phase) required to mount the attack on Subterranean-SAE (Subterranean-deck) is 1234.6 (1334.6) seconds.

At Asiacrypt 2017, Rønjom et al. presented key-independent distinguishers for different numbers of rounds of AES, ranging from 3 to 6 rounds, in their work titled “Yoyo Tricks with AES”. The reported data complexities for these distinguishers were 3, 4, 225.8, and 2122.83, respectively. In this work, we revisit those key-independent distinguishers and analyze their success probabilities. We show that the distinguishing algorithms provided for 5 and 6 rounds of AES in the paper of Rønjom et al. are ineffective with the proposed data complexities. Our thorough theoretical analysis has revealed that the success probability of these distinguishers for both 5-round and 6-round AES is approximately 0.5, with the corresponding data complexities mentioned earlier. We investigate the reasons behind this seemingly random behavior of those reported distinguishers. Based on our theoretical findings, we have revised the distinguishing algorithm for 5-round AES. Our revised algorithm demonstrates success probabilities of approximately 0.55 and 0.81 for 5-round AES, with data complexities of 229.95 and 230.65, respectively. We have also conducted experimental tests to validate our theoretical findings, which further support our findings. Additionally, we have theoretically demonstrated that improving the success probability of the distinguisher for 6-round AES from 0.50000 to 0.50004 would require a data complexity of 2129.15. This finding invalidates the reported distinguisher by Rønjom et al. for 6-round AES.