Known-Key Attack on GIFT-64 and GIFT-64[g] Based on Correlation Matrices
Abstract: Block ciphers are often used as building blocks for one-way compression functions, which in turn, can be employed to construct hash functions. Two well-known important methods in the design of one-way compression function from block ciphers are the Davies-Meyer compression and the Myagushi-Preneel compression. To verify the security of such a construction, it is necessary to evaluate the robustness of the underlying block cipher against, e.g., the secret key, which is the so-called known-key model. In this paper, we evaluate the security of the lightweight block cipher GIFT-64 in the known-key setting, when used as a building block of hash functions. We significantly improve the known-key distinguisher to full GIFT-64. The distinguisher is composed of truncated differentials over 13 rounds and a meet-in-the-middle distinguisher over 15 rounds. We leverage a relationship between truncated differentials and multiple linear approximations cryptanalysis. It allows us to transfer searching for truncated differentials to constructing multiple linear approximations, resulting in the improved probability of truncated differentials.
Loading