The ISC International Journal of Information Security

Abstract CHILOW is a family of tweakable block ciphers introduced at Eurocrypt 2025, prioritizing decryption speed over encryption speed. This is achieved through a low-latency non-linear layer of degree two within the round function and a minimal number of rounds. As a result, CHILOW presents an appealing target for attacks that exploit its algebraic properties. These characteristics, along with the strict query limitations imposed by the designers, motivate our investigation into CHILOW’s security against integral attacks leveraging the division property. We have identified several integral distinguishers, which vary in data complexity and the number of balanced output bits. Specifically, for CHILOW-(32+τ), we derived a 4-round distinguisher with 15 constant bits in the input, in which all the 32 output bits are balanced. However, the longest integral distinguisher that complies with query limitations extends up to 3 rounds. For CHILOW-40, integral distinguishers up to 5 rounds are detected; however, only those spanning three rounds meet the query constraints. Furthermore, we have explored the potential for extending these distinguishers to key-recovery attacks and analyzed their complexity. Using the 3-round distinguisher on CHILOW-(32+τ), we propose key recovery attack with a 32-bit advantage, data complexity of 240 chosen ciphertexts and time complexity of 240 decryptions, all within the query limits. Therefore, by performing an exhaustive search over the remaining key candidates, a single candidate for the master key can be recovered, resulting in an overall attack time complexity of 296 decryptions. Additionally, we present an integral key-recovery attack on the 6-round version of CHILOW-(32+τ) with a data complexity of 28 chosen ciphertexts and a time complexity of 2102.6 encryptions. This attack only obtains information from the tweaks of the last three rounds, and using this information to recover the master key will be the subject of future research.

Abstract The security of public key cryptography relies on the complexity of certain mathematical hard problems. It is vital to comprehend the intricacy of these problems to develop secure cryptographic schemes and security protocols. This paper provides an overview of some widely recognized hard problems associated with the discrete logarithm problem, including the reductions among them. Furthermore, we introduce a novel hard problem that is equivalent to the discrete logarithm problem, which also has a decisional version. Additionally, a set of new problems is presented, which can be instrumental in the design of secure encryption schemes. This paper is intended to provide crucial insights into the realm of hard problems in cryptography, facilitating a better understanding of security measures.

Abstract In the biclique attack, a shorter biclique usually results in less data complexity, but at the expense of more computational complexity. The early abort technique can be used in partial matching part of the biclique attack in order to slightly reduce the computations. In this paper, we make use of this technique, but instead of slight improvement in the computational complexity, we keep the amount of this complexity the same and reduce the data complexity enormously by a shorter biclique.
With this approach, we analysed full-round of LBlock, and also LBlock with modified key schedule (which was designed to resist biclique attack) both with data complexity 2^12, while the data complexity of the best biclique attack on the former was 2^52 and for the latter there is no attack on the full-round cipher, so far. Then we proposed a new key schedule that is more resistant against biclique cryptanalysis, though the low diffusion of the cipher makes it vulnerable to this attack regardless of the strength of the key schedule. Also using this method, we analyzed TWINE-80 with 2^12 data complexity. The lowest data complexity for the prior attack on the TWINE-80 was 2^60. In all the attacks presented in this paper, the computational complexities are slightly improved in comparison to the existing attacks.