Abstract
Areion is a family of wide-block permutations proposed at CHES 2023. For the security against differential attacks of Areion, the designers showed only upper bounds of the differential characteristic probability, which are derived from the lower bounds of the number of active S-boxes by a byte-wise search. In this paper, we obtain tighter bounds on differential characteristic probability of Areion by a bit-wise SAT-based search tool. We discover a new inherent property in the S-box layers for Areion permutation, which is overlooked by designers’ evaluation. This enables us to significantly update the bounds of differential probability. Furthermore, leveraging this new property with our SAT-based tool, we develop collision attacks on Areion-DM (Davies-Meyer) and Areion-MD (Merkle-Damgård) hashing modes. As a result, we demonstrate 4/6-round collision attacks on Areion256/512-DM, and 7-round semi-free-start collision on Areion-MD.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bellini, E., et al.: CLAASP: a cryptographic library for the automated analysis of symmetric primitives. In: Carlet, C., Mandal, K., Rijmen, V. (eds.) Selected Areas in Cryptography - SAC 2023 - 30th International Conference, Fredericton, Canada, August 14–18, 2023, Revised Selected Papers. Lecture Notes in Computer Science, vol. 14201, pp. 387–408. Springer (2023). https://doi.org/10.1007/978-3-031-53368-6_19
Bellini, E., et al.: Differential cryptanalysis with SAT, SMT, MILP, and CP: a detailed comparison for bit-oriented primitives. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds.) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol. 14342. Springer, Singapore (2024). https://doi.org/10.1007/978-981-99-7563-1_13
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Brayton, R.K., Hachtel, G.D., McMullen, C.T., Sangiovanni-Vincentelli, A.L.: Logic Minimization Algorithms for VLSI Synthesis, The Kluwer International Series in Engineering and Computer Science, vol. 2. Springer (1984). https://doi.org/10.1007/978-1-4613-2821-6
Erlacher, J., Mendel, F., Eichlseder, M.: Bounds for the security of Ascon against differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2022(1), 64–87 (2022)
Hou, Q., Dong, X., Qin, L., Zhang, G., Wang, X.: Automated meet-in-the-middle attack goes to feistel. In: Guo, J., Steinfeld, R. (eds.) Advances in Cryptology - ASIACRYPT 2023 - 29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4–8, 2023, Proceedings, Part III. Lecture Notes in Computer Science, vol. 14440, pp. 370–404. Springer (2023). https://doi.org/10.1007/978-981-99-8727-6_13
Isobe, T., et al.: Areion: highly-efficient permutations and its applications to hash functions for short input. IACR Trans. Cryptographic Hardware Embed. Syst. 2023(2), 115–154 (2023). https://doi.org/10.46586/tches.v2023.i2.115-154
Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) Advances in Cryptology - EUROCRYPT 1991, Workshop on the Theory and Application of of Cryptographic Techniques, Brighton, UK, April 8–11, 1991, Proceedings. Lecture Notes in Computer Science, vol. 547, pp. 17–38. Springer (1991). https://doi.org/10.1007/3-540-46416-6_2
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: Results on the full whirlpool compression function. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 5912, pp. 126–143. Springer (2009). https://doi.org/10.1007/978-3-642-10366-7_8
Libralesso, L., Delobel, F., Lafourcade, P., Solnon, C.: Automatic generation of declarative models for differential cryptanalysis. In: Michel, L.D. (ed.) 27th International Conference on Principles and Practice of Constraint Programming, CP 2021, Montpellier, France (Virtual Conference), October 25–29, 2021. LIPIcs, vol. 210, pp. 1–18. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2021). https://doi.org/10.4230/LIPICS.CP.2021.40
Liu, Y., Wang, Q., Rijmen, V.: Automatic search of linear trails in ARX with applications to SPECK and chaskey. In: ACNS. Lecture Notes in Computer Science, vol. 9696, pp. 485–499. Springer (2016). https://doi.org/10.1007/978-3-319-39555-5_26
Martins, R., Joshi, S., Manquinho, V.M., Lynce, I.: Incremental cardinality constraints for MaxSAT. CoRR arXiv:1408.4628 (2014)
McCluskey, E.J.: Minimization of boolean functions. Bell Syst. Tech. J. 35(6), 1417–1444 (1956)
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: FSE. Lecture Notes in Computer Science, vol. 5665, pp. 260–276. Springer (2009). https://doi.org/10.1007/978-3-642-03317-9_16
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
Quine, W.V.: The problem of simplifying truth functions. Am. Math. Mon. 59(8), 521–531 (1952)
Quine, W.V.: A way to simplify truth functions. Am. Math. Mon. 62(9), 627–631 (1955)
Ranea, A., Rijmen, V.: Characteristic automated search of cryptographic algorithms for distinguishing attacks (CASCADA). IET Inf. Secur. 16(6), 470–481 (2022). https://doi.org/10.1049/ise2.12077
Sakemi, Y., Kanno, S.: Ultra-low latency cryptography Areion. Internet-Draft draft-sakemi-areion-00, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-sakemi-areion/00/, work in Progress
NIST: Secure Hash Standard (SHS). Federal Information Processing Standards Publication. FIPS PUB 180-4 (2015)
Sun, L., Wang, W., Wang, M.: More accurate differential properties of LED64 and midori64. IACR Trans. Symmetric Cryptol. 2018(3), 93–123 (2018)
Sun, L., Wang, W., Wang, M.: Accelerating the search of differential and linear characteristics with the SAT method. IACR Trans. Symmetric Cryptol. 2021(1), 269–315 (2021)
Acknowledgements
The authors would like to thank Emanuele Bellini and the anonymous reviewers for the valuable comments and suggestion. This result is obtained from the commissioned research (JPJ012368C05801) by the National Institute of Information and Communications Technology (NICT), Japan. This work was also supported by JSPS KAKENHI Grant Number JP24H00696.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Taiyama, K., Sakamoto, K., Shiba, R., Isobe, T. (2025). Collision Attacks on Hashing Modes of Areion. In: Kohlweiss, M., Di Pietro, R., Beresford, A. (eds) Cryptology and Network Security. CANS 2024. Lecture Notes in Computer Science, vol 14906. Springer, Singapore. https://doi.org/10.1007/978-981-97-8016-7_12
Download citation
DOI: https://doi.org/10.1007/978-981-97-8016-7_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-8015-0
Online ISBN: 978-981-97-8016-7
eBook Packages: Computer ScienceComputer Science (R0)