Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4
|
|
- Rosalind Cameron
- 5 years ago
- Views:
Transcription
1 Hindawi ecurity and Communication Networks Volume 2017, Article ID , 10 pages Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher tandard M4 Yu Liu, 1,2 Huicong Liang, 1 Wei Wang, 1 and Meiqin Wang 1 1 Key Laboratory of Cryptologic Technology and Information ecurity, Ministry of Education, handong University, Jinan, China 2 Weifang University, Weifang, China Correspondence should be addressed to Meiqin Wang; mqwang@sdu.edu.cn Received 8 June 2017; Accepted 1 August 2017; Published 6 eptember 2017 Academic Editor: Jesús Díaz-Verdejo Copyright 2017 Yu Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. M4 is a Chinese commercial block cipher standard used for wireless communication in China. In this paper, we use the partial linear approximation table of -box to search for three rounds of iterative linear approximations of M4, based on which the linear approximation for 20-round M4 has been constructed. However, the best previous identified linear approximation only covers 19 rounds. At the same time, a linear approximation for 19-round M4 is obtained, which is better than the known results. Furthermore, we show the key recovery attack on 24-round M4 which is the best attack according to the number of rounds. 1. Introduction M4 [1], issued in 2006 by Chinese government, serves the WAPI (WLAN Authentication and Privacy Infrastructure) as the underling block cipher for the security of wireless LANs. In 2012, M4 was announced as the Chinese commercial block cipher standard, renamed M4 [2]. M4 receives more attention from the cryptographic community and a lot of cryptanalytic results for M4 have been produced. In [], the rectangle and boomerang attacks on 18-round M4 and the linear and differential attacks on 22-round M4 have been presented. Using multiple linear attack, Etrog and Robshaw gave an attack on 2-round M4 in [4]. Besides these, the differential attack and the multiple linear attack on 22-round M4 have been introduced in [5, 6]. Till now, the best differential attack for 2-round M4 is given in [7]. Cho and Nyberg proposed a multidimensional linear attack on 2-round M4 in [8]. The best linear attack on 2-round M4 is provided by Liu and Chen in [9]. Bai and Wu proposed a new lookup-table-based white-box implementation for M4 which could protect the large linear encodings from being cancelled out in [10]. Moreover, related-key differential attack on M4 has been given in [11] and the lower bound of the number of linear active -boxes for M4-like ciphers has been analyzed in [12]. Linear cryptanalysis [1] is one of the most important techniques in the analysis of symmetric-key cryptographic primitives. The linear cryptanalysis focuses on the linear approximation between plaintext, ciphertext, and key. If a cipher behaves differently from a random permutation for linear cryptanalysis, this can be used to build a distinguisher or even a key recovery attack through adding some rounds. The subkeys of appended rounds are guessed and the ciphertexts are decrypted and/or plaintexts are encrypted using these subkeys to calculate intermediate state at the ends of distinguisher. If the subkeys are correctly guessed, then the distinguisher should hold. Otherwise, it will fail. Linear cryptanalysis has been used to analyze many ciphers such as [14 17]. Our Contributions.Intermsofthenumberofroundsthatall the previous attacks for M4 can work, the best key recovery attacks on M4 are linear cryptanalysis and differential cryptanalysis, and both of them are based on 19-round distinguishers. Whether we can get a better distinguisher is our first motivation to improve the attacks on M4. Therefore, we focus on searching the linear approximation for M4 to improve the attacks on M4. The contributions of this paper are summarized as follows. The best previous linear attacks work on the 19-round linear approximations. We design a new search algorithm for the
2 2 ecurity and Communication Networks Table 1: ummary of linear approximations of M4. Rounds Bias Reference [9] ection ection iterative linear approximations for small rounds of M4 by gradually expanding the partial linear approximation table of -box. Firstly, it is proved that there is no one-round or tworound iterative linear approximation for M4, and then some propertiesareobtainedfortheiterativelinearapproximations of -round M4. Based on these properties, we utilize our searching algorithm to get an 19-round linear approximation with bias 2 58 and a 20-round linear approximation with bias The results about our identified linear approximations withthepreviousonesaredepictedintable1.itcanbeseen thatourlinearapproximationsarethebestonessofar. The best previous attacks can work on 2-round M4. Utilizing our identified 20-round linear approximation of M4, we give a key recovery attack on 24-round M4, which is the best attack according to the number of rounds for M4. Moreover, the new 19-round linear approximation is used to attack 2-round M4. As a result, the best previous linear attack on 2-round M4 is improved. A summary of our attacks and the previous attacks on M4 is listed in Table 2. The paper is organized as follows. ection 2 briefly describes the notations used in this paper and introduces the M4 block cipher. ection shows how to search the better linear approximations for M4. In ection 4, we use the 19-round and 20-round linear approximations to attack 2- round and 24-round M4, respectively. ection 5 concludes this paper. Xr 0 T Xr 1 Xr 2 Xr L 2 k r Xr+1 0 Xr+1 1 Xr+1 2 Xr+1 Figure 1: The round function of M4. as (P 0,P 1,P 2,P ) = (X 0 0,X1 0,X2 0,X 2 0 ) (F2 )4,andtheencryption procedure is described as follows: X r+1 =X0 r T(X1 r X2 r X r k r) =X 0 r L (X1 r X2 r X r k r), for r=0,...,1, where k r is the rth round s subkey (0 r 1).Theciphertext (C 0,C 1,C 2,C ) = (X 2,X2 2,X1 2,X0 2 ).Thedecryption procedureisthesameastheencryptionprocedurewiththe reverse order of subkeys. One round of M4 is shown in Figure 1. It can be known from Figure 1 that T is composed of the nonlinear layer and the linear transformation L. Layer has four 8 8boxes used in parallel. The specification of the -box could be referred to [1]. Let X F 2 2 and Y F 2 2 be the 2-bit input and output words of the linear transformation L.Then (1) 2. Preliminaries 2.1. Notations. In this subsection, we will present the notations used in this paper as follows: Y=L(X) =X (X 2) (X ) (X ) (X ). (2) (i) :abitwisexoroperation (ii) : concatenation of two words (iii) : left cyclic shift operation (iv) : multiplication of two vectors, matrix and vector, or two matrices (v) :bitwiseinnerproduct (vi) &&: logical AND operation (vii) X[i]:theith bit of X (viii) X[i j]: a bit string starting from the ith bit to the jth bit of X Brief Description of M4. M4 is a Chinese national standard block cipher used in WAPI for WLAN. It has 128- bit block size and the key size is also 128 bits. The design of M4isbasedontheunbalancedgeneralizedFeistelstructure and the number of rounds is 2. We denote the plaintext ThekeyscheduleofM4issimilartotheencryption procedurebuttheonlydifferencebetweenthemisthatthe linear transformation in the key schedule is L (X) =X (X 1) (X 2). () The 128-bit master key (MK 0, MK 1, MK 2, MK ) is first masked with the constants FK 0, FK 1, FK 2, FK and then input to the key schedule function. (K 0,K 1,K 2,K )=(MK 0 FK 0, MK 1 FK 1, MK 2 FK 2, MK FK ), where FK 0 = 0xab1bac6, FK 1 = 0x56aa50, FK = 0x677d9197, andfk = 0xb27022dc. Andthenk r is computed as follows: (4) k r =K r+4 =K r L (K r+1 K r+2 K r+ CK r ), (5) where CK r, r=0,1,...,1,istheconstant.
3 ecurity and Communication Networks Table2:ummaryofattacksonM4. Rounds Attack type Data Time Memory ource 1 Integral [6] 16 Impossible differential [18] 18 Rectangle [] 18 Boomerang [] 22 Multiple linear [19] 2 Differential [7] 2 Multidimensional linear [9] 2 Linear [9] 2 Linear ection 4 24 Linear ection 4. earch for the Linear Approximations of M4 In terms of the number of rounds, all previous attacks for M4 can work. One of the best key recovery attacks on M4 is linear and differential cryptanalysis, and both of them are based on 19-round distinguishers. Whether we can get a better distinguisher is our first motivation to improve the attacks on M4. Therefore, the key point is to search for the linear approximation of M4. As far as we know, some methods to search for linear approximations of M4 have beenconsideredin[,4,9,19]. The search method in [] is to construct linear approximations for reduced-round M4 by identifying a one-round linear approximation with the same input and output masks for the T function. In this way, the number of active T functions can be minimized. As a result, an 18-round linear approximation with bias for M4 has been found. In [4], Etrog and Robshaw derived a 5-round iterative linear approximation where only the last two rounds are active, and then they concatenated three five-round iterative linear approximations to construct an 18-round linear approximation with bias In[19],Liuetal.usedthebranch-and-boundalgorithm in [20] to obtain a series of 5-round iterative linear approximations, which are utilized to construct an 18-round linear approximation with bias In order to get a better linear approximation for M4, Liu andchengaveamorededicatedsearchalgorithmin[9].they firstly used an MILP-based method to search the mode for the linear approximation with the minimum number of active - boxes for reduced-round M4; then based on the identified mode they found the 19-round linear approximation with bias It is obvious that even if the number of active -boxes for a linear approximation is minimized, the absolute of its bias might not be maximum. From this point, we focus on searching for better linear approximations with a few more active -boxes. At CT-RA 2014, Biryukov and Velichkov extended the branch-and-bound algorithm to search for the differential characteristics of ARX ciphers where the partial differential distribution table for modular addition is used in order to improve the search efficiency [21]. Inspired from this idea, we will use the partial linear approximation table to search forlinearapproximationsofm4. At first, some properties for basic operations such as the XOR operation, the three-forked branching operation, and the linear map will be introduced. Lemma 1 (XOR operation [22]). Let f(x 0,x 1 )=x 0 x 1 ;the input mask vector and output mask are Γ = (Γ 0,Γ 1 ) and Λ, respectively. Then Pr(Λ f(x 0,x 1 )=Γ 0 x 0 Γ 1 x 1 ) =1/2if and only if Γ 0 =Γ 1 =Λ. Lemma 2 (three-forked branching operation [22]). Let f(x) = (x, x); the input mask and output linear mask vector are Γ and Λ=(Λ 0,Λ 1 ),respectively.thenpr(γ x = Λ f(x)) = 1/2 if and only if Γ=Λ 0 Λ 1. Lemma (linear map [2]). Let f(x) = M x with the input mask vector Γ=(Γ 0,Γ 1,...,Γ n 1 ) andoutputmaskvectorλ= (Λ 0,Λ 1,...,Λ n 1 );thenpr(γ x = Λ f(x)) =1/2if and only if Γ=M T Λ,whereM T is the transposed matrix of M and M is an n ninvertible binary matrix. Biases in the linear approximation table for -box of M4 take the values l/2 8 (2 l 16).Ifweputall the linear approximation table into the search program, the program will be too slow to get a better linear approximation. Thus, the partial linear approximation table is used in the searchalgorithm.thebasicideaisthatlinearapproximations of -box with higher bias are utilized first. If no better linear approximation is output, then we can expand the partial linear approximation table by appending more linear approximations of -box with less bias successively till a better linear approximation is output. In order to get a better linear approximation, one common method is to find iterative linear approximations for short rounds first based on which long rounds of linear approximations could be produced directly. Thus, we will focus on searching for iterative linear approximations of M4. Now three properties for iterative linear approximations of M4 are shown as follows. Property 4. There is no one-round iterative linear approximation with active -boxes on M4.
4 4 ecurity and Communication Networks Γ T r 0 Γr 1 Γr 2 Γr L 2 Λ r Γ r which implies Γ r = 0 andallthe-boxesinthisround are passive. Thus, there is no one-round iterative linear approximation for M4. Property 5. The iterative linear approximation for two rounds of M4 does not exist. Proof. If there is an iterative linear approximation for the first tworoundsinfigure2,thenwehave T Γr+1 0 L 2 Γr+1 1 Γr+1 2 Γr+1 Λ r+1 Γ r+1 Γ 0 r =Γ0 r+2, Γ 1 r =Γ1 r+2, Γ 2 r =Γ2 r+2, Γ r =Γ0 r+1. (9) T Γr+2 0 L 2 Γr+2 1 Γr+2 2 Γr+2 Λ r+2 Γ r+2 With the property of three-forked branch, we have Γ 1 r =Γ0 r+1 Γ r, Γ 2 r =Γ0 r+2 Γ r Γ r+1, Γ r =Γ1 r+2 Γ r Γ r+1, Γ 2 r+2 =Γ0 r Γ r+1. (10) Γr+ 0 Γr+ 1 Γr+ 2 Γr+ Figure 2: Linear approximation of -round M4. Proof. From Figure 2, if there is an iterative linear approximation for the first round, we have According to (9) and (10), we derive Γ 2 r =Γ0 r Γ r Γ r+1, Γ r =Γ1 r Γ r Γ r+1, Γ 2 r =Γ0 r Γ r+1. (11) Γ 0 r =Γ0 r+1, Γ 1 r =Γ1 r+1, Γ 2 r =Γ2 r+1, Γ r =Γ0 r. Using the property of three-forked branch, we have Γ 1 r =Γ0 r+1 Γ r, Γ 2 r =Γ1 r+1 Γ r, Γ r =Γ2 r+1 Γ r. From (6) and (7), we get Γ 1 r+1 =Γ0 r Γ r, Γ 0 r Γ r Γ r =Γ 2 r+1, Γ r =Γ0 r Γ r Γ r Γ r =Γ 0 r Γ r =Γ 0 r, (6) (7) (8) Thus, Γ 0 r Γ r+1 =Γ 0 r Γ r Γ r+1 Γ r =0, (12) which means that Γ 0 r =Γ0 r+2 =0.ubstitutethetermsΓ r in the above formulas and we have Γ 1 r =Γ0 r+1 =Γ1 r+2, Γ 2 r =Γ r+1, Γ r =Γ1 r+2 Γ r+1 =Γ 0 r+1 Γ r+1 =Γ 0 r+1, (1) so Γ r+1 = 0,whichmeansthatall-boxesinthefirst two rounds are passive. Therefore, 2-round iterative linear approximation for M4 does not exist. Property 6. For the iterative linear approximation of - round M4, the minimum number of active -boxes is. Meanwhile,eachroundhasoneactive-boxandtheactive -boxes are located in the same positions of three rounds.
5 ecurity and Communication Networks 5 Table : Linear approximation for 19-round M4. Round i Γ 0 i Λ i Γ i Bias Γ 1 i Γ 2 i Γ i A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A0828 Proof. If there is an iterative linear approximation for three rounds in Figure 2, then we have o Γ 1 r Γ r Γ r+2 =Γ 2 r, Γ r Γ r Γ r+1 Γ r+2 =Γ 0 r, Γ 0 r Γ r+1 Γ r+2 =Γ 1 r. Γ r =Γ2 r Γ r Γ r+1, Γ r+1 =Γ r Γ r+2, (14) Γ 0 r =Γ r. (15) We focus on the linear approximation with less active - boxes. From (15), it is impossible for a three-round iterative linear approximation to have only one active -box. If there are two active -boxes, then Γ r =0or Γ r+1 =0or Γ r+2 =0. Hence, all -boxes in the three-round linear approximation are passive. Take Γ r =0as an example. If Γ r =0,thenΛ r =0, which implies Γ 0 r =0.Then Γ r =Γ0 r+ =Γ r+ =Γ0 r =0, Γ 0 r+2 =Γ r+ Γ 0 r+2 =0. Thus, Λ r+2 =0;wehaveΓ r+2 =0. 0=Γ r Γ r =Γ 2 r+1 =Γ r+1 Γ 1 r+2 =Γ r+1 Γ r+2 Γ 0 r+ =Γ r+1. (16) (17) In the cases Γ r+1 = 0 and Γ r+2 = 0,wecanalso obtain that there is no active -box in the three-round linear approximation by the similar way of the case Γ r = 0. Therefore, the iterative linear approximation for three-round M4 has at least three active -boxes. From (15), it is clear that eachroundhasoneactive-boxandtheseactive-boxesare locatedinthesamepositionsofthreerounds. From Property 6, we will try to search for the iterative linear approximation of -round M4 where each round has only one active -box. The search algorithm is listed in Algorithm 1. In Algorithm 1, the following notations are used. Γ r =Γ r,0 Γ r,1 Γ r,2 Γ r, and Λ r =Λ r,0 Λ r,1 Λ r,2 Λ r, are input and output masks of -layer in the rth round. Γ r,j and Λ r,j are input and output mask of the jth -box of the rth round. T l is a partial linear approximation table of -box which consists of linear approximations with bias no less than l/2 8 (2 l 16). After proceeding the search algorithm, we identify round iterative linear approximations with bias 2 10.With any -round iterative linear approximation, we can construct linear approximations for 19-round and 20-round M4 with bias 2 58 and 2 61, respectively. Compared with the best previous 19-round linear approximation in [9], the bias has been improved from to In Tables and 4, we give linear approximations for 19-round and 20-round M4, respectively, where all masks are denoted as hexadecimal values and is undecided. 4. Key Recovery Attacks for M Linear Attack on 24-Round M4. We append two rounds to the bottom and the top of the 20-round linear
6 6 ecurity and Communication Networks (1) for l 16to 2 do (2) for j 0to do () for all Λ 0,j =0, Λ 1,j =0, Λ 2,j =0, Λ 0,j =Λ 1,j =Λ 2,j =0, (0 j =j )do (4) Γ 0,j =Γ 1,j =Γ 2,j =0, (0 j =j ) (5) find all m 0 input masks indexed by Λ 0,j from T l,andstoreinr j [m 0 ] (6) for k 0 0to m 0 1do (7) Γ 0,j R j [k 0 ] (8) find all m 1 input masks indexed by Λ 1,j from T l,andstoreinr j [m 1 ] (9) for k 1 0to m 1 1do (10) Γ 1,j R j [k 1 ] (11) find all m 2 input masks indexed by Λ 2,j from T l,andstoreinr j [m 2 ] (12) for k 2 0to m 2 1do (1) Γ 2,j R j [k 2 ] (14) for i 0to 2 do (15) Γ 0 i =L T (Λ i,0 Λ i,1 Λ i,2 Λ i, )=L T (Λ i ) (16) end for (17) for i 0to 2 do (18) Γ i =Γ i,0 Γ i,1 Γ i,2 Γ i, (19) end for (20) (21) Γ 0 =Γ0 0 Γ 1 =Γ0 0 Γ 1 Γ 2 (22) (2) Γ 2 =Γ0 1 Γ 2 Γ 0 =Γ0 0 Γ 0 Γ 1 Γ 2 (24) (25) Γ 1 0 =Γ0 1 Γ 0 Γ 2 0 =Γ0 2 Γ 0 Γ 1 (26) (27) if Γ 0 =Γ0 2 && Γ1 0 =Γ1 && Γ2 0 =Γ2 then return Γ 0 0,Γ0 1,Γ0 2,Γ0,Γ 0,Γ 1,Γ 2 (28) // -round iterative linear approximation (29) else (0) continue. (1) end if (2) end for () end for (4) end for (5) end for (6) end for (7) l = l 2 (8) end for Algorithm 1: earch algorithm for iterative linear approximation of -round M4. approximation in Table 4, respectively. Then a linear attack on 24-round M4 is presented. The partial sum technique [24] is used in the partial encryption and decryption procedures. ee Figure. According to the linear approximation in Figure, we denote Γ 0 2 = Γ 2 = Γ 0 22 = Γ 22 = 0x8808A228, Γ 1 2 = 0x8808C228, Γ 2 2 =Γ1 22 = 0x , Γ2 22 = 0x , Λ 1 =Λ 22 = 0x , andλ 1,2 =Λ 22,2 =0x82.From the linear approximation, we have Γ 0 2 X0 2 Γ1 2 X1 2 Γ2 2 X2 2 Γ 2 X 2 Γ0 22 X0 22 Γ1 22 X 1 22 Γ2 22 X2 22 Γ 22 X 22 =κ. (18) Consider the partial encryption and decryption; the left side of the above equation can be written as follows: Γ 0 2 P 2 Γ 1 2 P Γ 2 2 (P 0 XX 0 ) Γ 0 2 (P 1 XX 1 ) Γ 0 2 (C 2 XX 22 ) Γ 2 2 (C XX 2 ) Γ 2 22 C 0 Γ 0 2 C 1 =Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1 Γ 2 2 XX 0 Γ 0 2 XX 1 Γ 0 2 XX 22 Γ 2 2 XX 2, (19) where XX r is the state after transformation T and X r is the state after layer in the rth round. ince Γ 0 2 XX 22 =Λ 22 X 22 =Λ 22,2 X 22 [16 2] =Λ 1,2 ((X 1 22 X2 22 X 22 k 22) [16 2]) =Λ 1,2 ((C C 0 C 1 ) [16 2]
7 ecurity and Communication Networks 7 Table 4: Linear approximation for 20-round M4. Round i Γ 0 i Λ i Γ i Bias Γ 1 i Γ 2 i Γ i A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A A228 XX 2 [16 2] k 22 [16 2]), Γ 0 2 XX 1 =Λ 1 X 1 =Λ 1,2 X 1 [16 2] =Λ 1,2 ((X 1 1 X2 1 X 1 k 1) [16 2]) =Λ 1,2 ((P 0 P 2 P ) [16 2] XX 0 [16 2] k 1 [16 2]), then, (19) can be transformed into Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1 Γ 2 2 T(P 1 P 2 P k 0 ) Λ 1,2 ((P 0 P 2 P ) [16 2] XX 0 [16 2] k 1 [16 2]) Λ 1,2 ((C C 0 C 1 ) [16 2] XX 2 [16 2] k 22 [16 2]) Γ 2 2 T(C 0 C 1 C 2 k 2 ). (20) (21) Let O =Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1. The attack process is given as follows: (1) CollectN plaintext/ciphertext pairs. (2) Initialize 2 81 counters V 0 [0],...,V 0 [2 81 1] to zero. () For every plaintext/ciphertext pair, calculate w=o (P 0 P 2 P )[16 2] (C C 0 C 1 )[16 2] C 0 C 1 C 2 P 1 P 2 P. Then increase the counter V 0 [w] by one. (4) Guess the 2-bit k 2.Allocate2 49 counters V 1 [0],...,V 1 [2 49 1] to zero. (5) For every 0 w ,calculateO O Γ 2 2 T(C 0 C 1 C 2 k 2 ), XX 2 and x=o (P 0 P 2 P )[16 2] (C C 0 C 1 )[16 2] XX 2 [16 2] P 1 P 2 P. V 1 [x] += V 0 [w]. (6) Guess the 8-bit k 22 [16 2]. Allocate 2 41 counters V 2 [0],...,V 2 [2 41 1] to zero. (7) For every 0 x , calculateo O Λ 1,2 ((C C 0 C 1 )[16 2] XX 2 [16 2] k 22 [16 2]) and y=o (P 0 P 2 P )[16 2] P 1 P 2 P. V 2 [y] += V 1 [x]. (8) Guess the 2-bit k 0.Allocate2 9 counters V [0],..., V [2 9 1] to zero. (9) For every 0 y ,calculateO O Γ 2 2 T(P 1 P 2 P k 0 ), XX 0 and z=o (P 0 P 2 P )[16 2] XX 0 [16 2]. V [z] += V 2 [y]. (10) Guess the 8-bit k 1 [16 2]. Initialize 2 80 counters V key [0],...,V key [2 80 1] to zero. (11) For every 0 z 2 9 1, calculateo O Λ 1,2 ((P 0 P 2 P )[16 2] XX 0 [16 2] k 1 [16 2]). If O =0,increasethecounterV key [k 0 k 1 [16 2] k 22 [16 2] k 2 ] by V [z];otherwise,decreaseitby V [z]. (12) We set the advantage a to be 47 which implies that the top 2 absolute values in V key are kept. For each
8 8 ecurity and Communication Networks P 0 X0 0 P 1 X0 1 P 2 X0 2 P X0 2 k 0 XX 0 X 0 X1 0 2 Λ 1 k 1 X1 1 X1 2 X1 XX X 1 00 X2 0 X2 1 X2 2 X2 0x8808A228 0x8808C228 0x x8808A228 Γ2 0 Γ2 1 Γ2 2 Γ2 20-round linear approximation Γ21 0 Γ21 1 Γ21 2 Γ21 0x8808A228 0x x x8808A228 X22 0 X22 1 X22 2 X22 2 Λ 22 k 22 XX X X2 0 2 k 2 X2 1 X2 2 X2 XX 2 X 2 C 0 X 0 24 C 1 X 1 24 C 2 X 2 24 C X 24 Figure:Keyrecoveryattackon24-roundM4.
9 ecurity and Communication Networks 9 kept subkey value, we guess the remaining 88 bits of k 1 [0 15, 24 1] k 2 k (the master key can be gotten from the key schedule) and test the key by trail encryptions. The time complexity of tep () is about operations which is equivalent to /24 = round encryptions. Both teps (5) and (9) need 2 11 one-round decryptions or encryptions. teps (7) and (11) take 2 89 one-round decryptions or encryptions. The complexity of tep (12) is round encryptions. o the total time complexity is about encryptions. The memory complexity of tep (2) is about =2 84 bytes and the counter V key requires =2 84 bytes, so the total memory complexity is about =2 85 bytes. If we set the data complexity N= , the success rate P =Φ(2 N ε 1+N/2 n Φ 1 (1 2 a 1 )) = 76.1%by[25]. The time complexity is round encryptions. 4.2.LinearAttackon2-RoundM4. Two rounds are added to the bottom and the top of the 19-round linear approximation in Table, respectively. The key recovery attack on 2-round M4 is similar to the attack procedure of 24-round M4, so we omit details of the process. If we set the data complexity N= and the advantage a to be 47, the time complexity is = round encryptions, and the memory complexity is 2 85 bytes. The success rate P = 85.9%iscomputedwiththemethodin [25]. 5. Conclusions In this paper, it is firstly shown that there is no one-round or two-round iterative linear approximation for M4 and the property for the -round iterative linear approximation. On the basis of the property, we search for the iterative linear approximation of -round M4 by the partial linear approximation table. Next the 20-round linear approximation is constructed by -round iterative linear approximations. The best previous distinguishers only cover 19 rounds. Then the key recovery attack on 24-round M4 is provided, which is the best known attack on M4 so far. Moreover, we also get a better 19-round linear approximation, used to improve the linear attack on 2-round M4. As for future work, we hope to use the similar technique to search for a better differential characteristic for M4. Conflicts of Interest The authors declare that there are no conflicts of interest regarding the publication of this paper. Acknowledgments Thisworkissupportedby97Program(no.201CB84205), NFC Projects (nos and ), and Program for New Century Excellent Talents in University of China (NCET-1-050). References [1] W. Diffie and G. Ledin, M4 Encryption Algorithm for Wireless Networks, Cryptology eprint Archive 2008/29, 2014, [2] Office of tate Commercial Cryptography Administration: pecification of M4, block cipher for WLAN products-m4 (Chinese), pdf. [] T. Kim, J. Kim,. Hong, and J. ung, Linear and Differential Cryptanalysis of Reduced M4 Block Cipher, IACR Cryptology eprint Archive 2008/281, 2008, pdf. [4] J.EtrogandM.J.B.Robshaw, TheCryptanalysisofReduced- Round M4, in elected Areas in Cryptography, vol.581of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [5] W.Zhang,W.Wu,D.Feng,andB.u, omenewobservations on the M4 Block Cipher in the Chinese WAPI tandard, in Information ecurity Practice and Experience, vol.5451 of Lecture Notes in Computer cience, pp. 24 5, pringer, Berlin, Germany, [6] F.Liu,W.Ji,L.Huetal., AnalysisoftheM4BlockCipher, in Information ecurity and Privacy, vol.4586oflecture Notes in Computer cience, pp , pringer, Berlin, Germany, [7] B.-Z. u, W.-L. Wu, and W.-T. Zhang, ecurity of the M4 block cipher against differential cryptanalysis, JournalofComputer cience and Technology, vol. 26, no. 1, pp , [8] J.ChoandK.Nyberg, ImprovedLinearCryptanalysisofM4 Block Cipher, ymmetric Key Encryption Workshop, pp. 1 14, [9] M.-J. Liu and J.-Z. Chen, Improved linear attacks on the Chinese block cipher standard, Journal of Computer cience and Technology,vol.29,no.6,pp ,2014. [10] K. Bai and C. Wu, A secure white-box M4 implementation, ecurity and Communication Networks, vol.9,no.10,pp , [11] J. Zhang, W. Wu, and Y. Zheng, ecurity of M4 Against (Related-Key) Differential Cryptanalysis, in Proceedings of the International Conference on Information ecurity Practice and Experience, vol of Lecture Notes in Computer cience,pp , pringer, Berlin, Germany, November [12] B. Zhang and C. Jin, Practical security against linear cryptanalysis for M4-like ciphers with P round function, cience China Information ciences,vol.55,no.9,pp ,2012. [1] T. Helleseth, Linear cryptanalysis method for des cipher, in Advances in Cryptology EUROCRYPT, vol.765 of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, 199. [14] F. ano, K. Ohkuma, H. himizu, and. Kawamura, On the security of nested PN cipher against the differential and linear cryptanalysis, IEICE Transactions on Fundamentals of Electronics, Communications and Computer ciences, vol.e86- A, no. 1, pp. 7 46, 200. [15] G. Jakimoski and L. Kocarev, Differential and linear probabilities of a block-encryption cipher, IEEE Transactions on Circuits and ystems. I. Fundamental Theory and Applications, vol.50, no. 1, pp , 200.
10 10 ecurity and Communication Networks [16] Y. un, Linear Cryptanalysis of Light-Weight Block Cipher ICEBERG, in Advances in Electronic Commerce, Web Application and Communication,vol.149,pp ,pringerBerlin Heidelberg, Berlin, Germany, [17] Y. Liu, K. Fu, W. Wang, L. un, and M. Wang, Linear cryptanalysis of reduced-round PECK, Information Processing Letters,vol.116,no.,pp ,2016. [18] D. Toz and O. Dunkelman, Analysis of two attacks on reducedround versions of the M 4, in Information and Communications ecurity,vol.508oflecture Notes incomputer cience,pp , pringer Berlin Heidelberg, Berlin, Heidelberg, [19] Z. Liu, D. Gu, and J. Zhang, Multiple linear cryptanalysis of reduced-round M4 block cipher, Chinese Journal of Electronics,vol.19,no.,pp.89 9,2010. [20] M. Matsui, On correlation between the order of -boxes and the strength of DE, in Advances in cryptology EUROCRYPT, vol. 950 of Lecture Notes in Comput. ci.,pp.66 75,pringer, Berlin, Germany, [21] A. Biryukov and V. Velichkov, Automatic search for differential trails in ARX ciphers, in Topics in Cryptology CT-RA 2014, vol. 866 of Lecture Notes in Comput. ci.,pp ,pringer, Berlin, Germany, [22] E. Biham, On Matsui s linear cryptanalysis, in Advances in Cryptology, vol.950oflecture Notes in Comput. ci., pp.41 55, pringer, Berlin, Germany, [2] J. Daemen, R. Govaerts, and J. Vandewalle, Correlation matrices, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [24] N. Ferguson, J. Kelsey,. Lucks et al., Improved Cryptanalysis of Rijndael, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [25] A. Bogdanov and E. Tischhauser, On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp. 19 8, pringer, Berlin, Germany, 201.
11 Volume 201 International Journal of Rotating Machinery Journal of Volume 201 The cientific World Journal Journal of ensors International Journal of Distributed ensor Networks Journal of Control cience and Engineering Advances in Civil Engineering ubmit your manuscripts at Journal of Robotics Journal of Electrical and Computer Engineering Advances in OptoElectronics Volume 2014 VLI Design International Journal of Navigation and Observation Modelling & imulation in Engineering International Journal of International Journal of Antennas and Chemical Engineering Propagation Active and Passive Electronic Components hock and Vibration Advances in Acoustics and Vibration
Security of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationNew Observation on Camellia
New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationResearch Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension
e Scientific World Journal, Article ID 345686, 4 pages http://dx.doi.org/10.1155/2014/345686 Research Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationCryptanalysis of a Multistage Encryption System
Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationSecurity of SM4 Against (Related-Key) Differential Cryptanalysis
Security of SM4 Against (Related-Key) Differential Cryptanalysis Jian Zhang 1,2, Wenling Wu 1(B), and Yafei Zheng 1 1 Institute of Software, Chinese Academy of Sciences, Beijing 100190, China {zhangjian,wwl,zhengyafei}@tca.iscas.ac.cn
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationDifferential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationSTP Models of Optimal Differential and Linear Trail for S-box Based Ciphers
STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers Yu Liu 1,2, Huicong Liang 1, Muzhou Li 1, Luning Huang 1, Kai Hu 1, Chenhe Yang 1, and Meiqin Wang 1,3 1 Key Laboratory of Cryptologic
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationRelated-Key Rectangle Attack on 42-Round SHACAL-2
Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationImproved Linear Cryptanalysis of SMS4 Block Cipher
Improved Linear Cryptanalysis of SMS4 Block Cipher Joo Yeon Cho 1 and Kaisa Nyberg 2 1 Nokia, Denmark joo.cho@nokia.com 2 Aalto University and Nokia, Finland kaisa.nyberg@tkk.fi Abstract. SMS4 is a block
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationCryptanalysis of Hummingbird-2
Cryptanalysis of Hummingbird-2 Kai Zhang, Lin Ding and Jie Guan (Zhengzhou Information Science and Technology Institute, Zhengzhou 450000, China) Abstract: Hummingbird is a lightweight encryption and message
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationImpossible Boomerang Attack for Block Cipher Structures
Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationRevisiting the Wrong-Key-Randomization Hypothesis
Revisiting the Wrong-Key-Randomization Hypothesis Tomer Ashur, Tim Beyne, and Vincent Rijmen ESAT/COSIC, KU Leuven and iminds, Leuven, Belgium [tomer.ashur,vincent.rijmen] @ esat.kuleuven.be [tim.beyne]
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationOn the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2
On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 Andrey Bogdanov 1 and Elmar Tischhauser 2 1 Technical University of Denmark anbog@dtu.dk 2 KU Leuven and iminds, Belgium
More informationLinear Cryptanalysis Using Low-bias Linear Approximations
Linear Cryptanalysis Using Low-bias Linear Approximations Tomer Ashur 1, Daniël Bodden 1, and Orr Dunkelman 2 1 Dept. Electrical Engineering, COSIC-imec, KU Leuven, Belgium [tashur,dbodden]@esat.kuleuven.be
More informationSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles
Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationBeijing , China
Automatic ecurity Evaluation and (Related-key) Differential Characteristic earch: Application to IMON, PREENT, LBlock, DE(L) and Other Bit-oriented Block Ciphers iwei un 1,2, Lei Hu 1,2, Peng Wang 1,2,
More informationMultivariate Linear Cryptanalysis: The Past and Future of PRESENT
Multivariate Linear Cryptanalysis: The Past and Future of PRESENT Andrey Bogdanov, Elmar Tischhauser, and Philip S. Vejre Technical University of Denmark, Denmark {anbog,ewti,psve}@dtu.dk June 29, 2016
More information