The ISC International Journal of Information Security

Abstract CHILOW is a family of tweakable block ciphers introduced at Eurocrypt 2025, prioritizing decryption speed over encryption speed. This is achieved through a low-latency non-linear layer of degree two within the round function and a minimal number of rounds. As a result, CHILOW presents an appealing target for attacks that exploit its algebraic properties. These characteristics, along with the strict query limitations imposed by the designers, motivate our investigation into CHILOW’s security against integral attacks leveraging the division property. We have identified several integral distinguishers, which vary in data complexity and the number of balanced output bits. Specifically, for CHILOW-(32+τ), we derived a 4-round distinguisher with 15 constant bits in the input, in which all the 32 output bits are balanced. However, the longest integral distinguisher that complies with query limitations extends up to 3 rounds. For CHILOW-40, integral distinguishers up to 5 rounds are detected; however, only those spanning three rounds meet the query constraints. Furthermore, we have explored the potential for extending these distinguishers to key-recovery attacks and analyzed their complexity. Using the 3-round distinguisher on CHILOW-(32+τ), we propose key recovery attack with a 32-bit advantage, data complexity of 240 chosen ciphertexts and time complexity of 240 decryptions, all within the query limits. Therefore, by performing an exhaustive search over the remaining key candidates, a single candidate for the master key can be recovered, resulting in an overall attack time complexity of 296 decryptions. Additionally, we present an integral key-recovery attack on the 6-round version of CHILOW-(32+τ) with a data complexity of 28 chosen ciphertexts and a time complexity of 2102.6 encryptions. This attack only obtains information from the tweaks of the last three rounds, and using this information to recover the master key will be the subject of future research.

Abstract Nowadays contactless smart cards are extensively used in applications that need strong authentication and security feature protection. Among different cards from different companies, MIFARE DESFire cards are one of the most used cases. The hardware and software design in addition to implementation details of MIFARE DESFire cards are kept secret by their manufacturer. One of the important functions is authentication which usually its procedure is secret in cards.
MIFARE DESFire EV3 is the fourth generation of the MIFARE DESFire products which supports integrity and confidential protected communication. DESFire EV3 is the latest addition of MIFARE DESFire family of smart card chipsets from NXP. This type of card is compatible with MIFARE DESFire D40, EV1, and EV2. The details of the authentication protocols in MIFARE DESFire EV3 card with three different secure messaging protocols are introduced in this paper. We use ProxMarak4 to obtain the details of authentication protocol of the DESFire cards as readers and a Custom special purpose board as a card.