New Observation on Camellia
|
|
- Adelia Ford
- 5 years ago
- Views:
Transcription
1 New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University of Defense Technology, Changsha, China 3 Department of Math, Tsinghua University, Beijing, China Abstract. In this paper, some observations on Camellia are presented, by which the quare attack and the Collision attack are improved. 11- round 256-bit Camellia without F function is breakable with complexity of encryptions. 9-round 128-bit Camellia without F function is breakable with the complexity of 2 90 encryptions. And 10-round 256- bit Camellia with F function is breakable with the complexity of encryptions and 9-round 128-bit Camellia with F function is breakable with the complexity of encryptions. These results are better than any other known results. It concludes that the most efficient attack on Camellia is quare attack. 1 Introduction Camellia [1] is a 128-bit block cipher proposed by NTT and Mitsubishi in It has the modified Feistel structure with irregular rounds, which is called the F/F 1 function layers. Camellia had been submitted to the standardization and the evaluation projects such as IO/IEC JTC 1/C 27, CYTEC, and NEIE. The most efficient methods analyzing Camellia are truncated differential cryptanalysis[4][5][6] and higher order differential attack[7][9]. Camellia with more than 11 rounds is secure against truncated differential cryptanalysis. quare attack[11] is a most efficient attack on AE[11][12]. Y. He and. Qing [2] showed that 6-round Camellia is breakable by it. Y.Yeom,. ark, and I. im [3] improved the result to 8 rounds. Collision attack on Camellia was presented by W Wu[10]. In this paper, some observations on Camellia are presented, by which the quare attack and the Collision attack are improved. Variant quare Attack can break 11-round 256-bit Camellia without F function with complexity of encryptions. 9-round 128-bit Camellia without F function is breakable with the complexity of 2 90 encryptions. And 10-round 256-bit Camellia with F function is breakable with the complexity of encryptions and 9-round 128-bit Camellia with F function is breakable with the complexity of encryptions. These results are better than any other known results. B. reneel and. Tavares (Eds.): AC 2005, NC 3897, pp , c pringer-verlag Berlin Heidelberg 2006
2 52 D. ei,. Chao, and. Feng Brief description of Camellia and some new structures equivalent to Camellia are presented in section2. In section 3, active bytes transformations on Camellias are illustrated and some new properties are demonstrated. Our attacking methods are described in section 4. ection 5 is some extension. The paper concludes with our most important results. 2 Equivalent tructures of Camellia 2.1 Description of the Camellia Camellia has a 128-bit block size and supports 128-, 192- and 256-bit keys. Camellia with a 128-bit key and 256-bit key is written as 128-Camellia, 256-Camellia. The design of Camellia is based on the Feistel structure and its number of rounds is 18(128-bit key) or 24(192-, 256-bit key). The F/F 1 function layer is inserted in it every 6 rounds in order to thwart future unknown attacks. Before the first round and after the last round, there are pre- and post-whitening layers. F function contains key-addition, -function and -function. -function contains 4 types of - boxes s 1, s 2, s 3,ands 4. s 2,s 3,s 4 are variations of s 1. The -function:{0, 1} 64 {0, 1} 64 maps (z 1,..., z 8 )to(z 1,..., z 8 ), defined as: z 1 = z 1 z 3 z 4 z 6 z 7 z 8 z 2 = z 1 z 2 z 4 z 5 z 7 z 8 z 3 = z 1 z 2 z 3 z 5 z 6 z 8 z 4 = z 2 z 3 z 4 z 5 z 6 z 7 z 5 = z 1 z 2 z 6 z 7 z 8 z 6 = z 2 z 3 z 5 z 7 z 8 z 7 = z 3 z 4 z 5 z 6 z 8 z 8 = z 1 z 4 z 5 z 6 z 7 We refer X (r), (r) to the rth round input and subkey, refer X(r) and X (r) to the left, right half bytes of X (r), which implies X (r) =(X(r),X (r) ). et X (ri) is the ith byte of X (r), and C be the laintext and Ciphertext, and X () be the last round output. The round function of Camellia is written as follows (named as Camellia-1), which is shown in Fig. 1: X (1) =,X (1) =, X (r+1) = X (r) (s(x (r) (r))), X (r+1) = X (r), C = X (),C = X () ound r Fig. 1. ound function of Camellia-1
3 New Observation on Camellia Three Equivalent tructures of Camellia We can write Camellia in following form called Camellia-2, where 1 is the inverse transformation of -function and X (r) is the rth round input of Camellia-2. Figure illustration of Camellia-2 is given in Fig. 2: X (1) = 1 ( ), X (1) = 1 ( ), X (r+1) = X (r) s( ( X (r) ) (r)), X (r+1) = X (r), C = ( X () ),C = ( X () ) ound r Fig. 2. ound function of Camellia-2 We can also write Camellia in the form of Camellia-3 where ˆX (r) is the rth round input. Figure illustration is given in Fig. 3: ˆX (1) =, ˆX (1) = 1 ( ), ˆX (r+1) = ˆX (r) s( ˆX (r) (r)), where r is odd ˆX (r+1) = ( ˆX (r) s( ( ˆX (r) ) (r))), where r is even ˆX (r+1) = ˆX (r), C = ˆX (),C = ( ˆX () ) ound 2r 1 ound 2r 2 Fig. 3. ound function of Camellia-3 The structure of Camellia-4 is given as follows where X (r) is the rth round input of that. Figure illustration is given in Fig. 4: X (1) = 1 ( ), X (1) =, X (r+1) = ( X (r) s( ( X (r) ) (r))), where r is odd X (r+1) = X (r) s( X (r) (r)), where r is even X (r+1) = X (r), C = ( X () ),C = X ()
4 54 D. ei,. Chao, and. Feng ound 2r 1 ound 2r 2 Fig. 4. ound function of Camellia-4 3 New Observations on Camellia 3.1 reliminaries et a Λ-set be a set of 256 states that are all different in some of the state bytes (the active) and all equal in the other state bytes (the passive). We have: x, y Λ : { x i y i x i = y i if x i is active else et Γ -set be a set of 256 states that are all equal to zero in summation (the balanced). x Γ : x i =0 Applying the -function or ey-addition on a Λ-set results in a Λ-set with the positions of the active bytes unchanged. The result set of applying -function to a Λ-set is not always a Λ-set but always a Γ -set. Applying ey-addition or -function on a Γ -set results in a Γ -set. Applying - function on a Γ -set results in the active bytes and passive bytes are still balanced. Applying AND operation, O operation or right shift operation on a Γ -set results in a Γ -set. Here, we give some definitions that are used in following sections. F: AΛ set has the form of {α 1, α 2, α 3, α 4, α 5, α 6, α 7, α 8, i, β 2, β 3, β 4, β 5, β 6, β 7, β 8 },inwhichα i, β j are constant, i {0,.., 255}. F t :AΛ set has the form of {α 1, α 2, α 3, α 4, α 5, α 6, α 7, α 8, i, β 2, β 3, β 4, β 5, β 6, β 7, γ t } t,inwhichα i, β j, γ k are constant, i {0,.., 255}. F t :AΛ set has the form of {i, β 2, β 3, β 4, β 5, β 6, β 7, γ t, s 1 (i k 1 ), α 2, α 3, α 4, α 5, α 6, α 7, s 1 (γ t k 2 )} t,inwhichα i, β j, γ k, k 1, k 2 are constant, i {0,.., 255}. F t :AΛ set has the form of {β 1, i β 2, i β 3, i β 4, i β 5, β 6, β 7, i γ t, s 1 (i k 1 ), s 1 (i k 1 ) α 2, s 1 (i k 1 ) α 3, α 4, s 1 (i k 1 ) α 5, α 6, α 7, s 1 (i k 1 ) α 8 } t,inwhichα i, β j, γ k, k 1 are constant, i {0,.., 255}. F t :AΛ set has the form of {s 1 (i k 1 ), α 2, α 3, α 4, α 5, α 6, α 7, s 1 (γ t k 2 ), 1 i, 2, 3, 4, 5, 6, 7, 8 γ t },inwhich{ 1, 2, 3, 4, 5, 6, 7, 8 } satisfy Eq.(1), α i, β j, γ k, η 1, η 2, η 3, η 4, η 5, η 6, η 7, η 8 k 1, k 2, k 3, k 4, k 5, k 6, k 7, k 8, k 9 are constant, i {0,.., 255}.
5 New Observation on Camellia s 1 (s 1 (i k 1 ) η 1 s 1 (γ t k 2 )) s 2 (s 1 (i k 1 ) η 2 s 1 (γ t k 2 )) s 3 (s 1 (i k 1 ) η 3 s 1 (γ t k 2 )) 4 5 = s 4 (η 4 ) s 2 (s 1 (i k 1 ) η 5 s 1 (γ t k 2 )) s 3 (η 6 s 1 (γ t k 2 )) s 4 (η 7 s 1 (γ t k 2 )) s 1 (s 1 (i k 1 ) η 8 ) F t :AΛ set has the form of {s 1 (i k 1 ), s 1 (i k 1 ) α 2, s 1 (i k 1 ) α 3, α 4, s 1 (i k 1 ) α 5, α 6, α 7, s 1 (i k 1 ), s 1 (s 1 (i k 1 ) k 2 ), s 2 (s 1 (i k 1 ) k 3 ) i, s 3 (s 1 (i k 1 ) k 4 ) i, α 4 i, s 2 (s 1 (i k 1 ) k 5 ) i, α 6, α 7, s 1 (s 1 (i k 1 ) k 6 ) i γ t )} t,inwhichα i, β j, γ k, k 1, k 2, k 3, k 4, k 5, k 6 are constant, i {0,.., 255}. In next section, we trace the position changes of the active bytes through 5 rounds transformations of Camellia-1 4 and the plaintext set {} is a Λ set F. We just describe the evolution of left half bytes of round outputs, for the left half bytes of previous round pass to right half bytes of next round unchanged. 3.2 Active Bytes Changing roperties In Camellia-1, X(1,1) is active byte, 1st round transformations convert the active byte to X(2,1), other bytes are passive. In 2nd round transformations, -function converts the active byte to 5 active bytes which are X(31), X (32), X (33),X (35), X(38) and three passive bytes. In 3rd round transformation, -function converts the active bytes to 8 balanced bytes. In 4th round transformation, -function converts balanced bytes to unbalanced bytes. After 5th round transformation all bytes are unbalanced. Evolutions of active bytes are illustrated in Fig. 5. (1) ( 1, 2,..., 8) (A, 2,..., 8) ound1 ound2 ound3 ound4 C assive Byte Balanced Byte ound5 C Unbalanced Byte Fig. 5. ound function of Camellia-1 In Camellia-2, 1st byte of {} is active, the pre- 1 -function converts the active byte to 5 active bytes. 1st round transformations convert the 5 active bytes and 3 passive bytes to 5 active bytes and 3 passive bytes. 2nd round
6 56 D. ei,. Chao, and. Feng transformations convert the 5 active bytes and 3 passive bytes to 1 active byte and 7 passive bytes. 3rd round transformation convert the 5 active bytes and 3passivebytesto2activebytes,4balanced bytes and 2 passive bytes, where X (41), X (42) are active, X (42), X (43), X (45), X (48) are balanced and X (46), X (47) are passive. 4th round transformations convert those bytes to unbalanced bytes. Evolutions of active bytes are illustrated in Fig. 6. Details of 2nd and 3rd transformation are given in Eq.(2)and Eq.(3). X (3) = X (2) s( ( X (2) (2)) = X (1) s( ( X (1) s( ( X (1) ) (1))) (2) ) = X (1) s( ( 1 ( ) s( ( X (1) ) (1))) (2) ) = X (1) s(( s( ( X (1) ) (1))) (2) ) (2) ( 1, 2,..., 8) (A, 2,..., 8) -1-1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced byte ound5 C Unbalanced byte Fig. 6. ound function of Camellia-2 X (11) is the only active byte in { X (1) }, since applying addition and -function on it results in { X (3) } with position of active byte unchanged, demonstrated in Eq.(2). Each byte of X (4) canbewrittenintheformofeq.(3),inwhich X (41), X (44) are influenced by an active byte X (31) so active, X (42), X (43), X (45), X (48) are influenced by 2 active bytes thus balanced and X (46), X (47) are derived from passive bytes, still passive. X (41) = s( X (31) X (33) X (34) X (36) X (37) X (38) (31)) X (31) X (42) = s( X (31) X (32) X (34) X (35) X (37) X (38) (32)) X (32) X (43) = s( X (31) X (32) X (33) X (35) X (36) X (38) (33)) X (33) X (44) = s( X (32) X (33) X (34) X (35) X (36) X (37) (34)) X (34) X (45) = s( X (31) X (32) X (36) X (37) X (38) (35)) X (35) X (46) = s( X (32) X (33) X (35) X (37) X (38) (36)) X (36) X (47) = s( X (33) X (34) X (35) X (36) X (38) (37)) X (37) X (48) = s( X (31) X (34) X (35) X (36) X (37) (38)) X (38) (3) In Camellia-3, 1st byte of {} is active, the pre--function converts the active byte to 5 active bytes. 1st round transformations convert the 5 active
7 New Observation on Camellia 57 bytes, 3 passive bytes to 5 active bytes,3 passive bytes. 2nd round transformations convert the 5 active bytes, 3 passive bytes to 5 active bytes, 3 active bytes. 3rd round transformation convert 5 active bytes, 3 passive bytes to 2 active bytes, 4 balanced bytes and 2 passive bytes, where ˆX (41), ˆX (42) are active, ˆX (42), ˆX (43), ˆX (45), ˆX (48) are balanced and ˆX (46), ˆX (47) are passive.and 4th round transformations convert those bytes to unbalanced bytes. The deducing procedure is similar to that of Camellia-2. Figure illustration is given in Fig.7. ( 1, 2,..., 8) (A, 2,..., 8) -1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced byte ound5 C Unbalanced byte Fig. 7. ound function of Camellia-3 The outstanding properties of Camellia-3 are Eq.(4) and Eq.(5), that are used in Improved quare attack and Improved Collision attack in section 4.2 andsection4.3. ˆX (5i) =0 (s( ˆX (6i) (5i)) ˆX (6i) =0, 6 i 7. (4) F F ˆX (5i) C s( ˆX (6i) (5i)) ˆX (6i) C, F, 1 i 8. (5) Camellia-3 also have the property of Eq.(6) that is used in section 4.4. ˆX (5i) = B s( ˆX (6i) (5i)) ˆX (6i) = B, F,Bisactive,i {1, 4}. (6) In Camellia-4, X(11) is active, 1st round transformations convert the active byte to an active byte, 2nd round transformations convert the active byte to an active byte and 3rd round transformations convert the active byte to 8 active bytes. Figure illustration is shown in Fig.8. The outstanding property of Camellia-4 is that seven 3rd round output bytes are passive, which will be used in variant quare attack in section 4.1. F X (4i) (4i) =0,i 1, C i is a constant. (s 1 ( X (5i) ) C i )=0,i 1, C i is a constant. (7) F
8 58 D. ei,. Chao, and. Feng ( 1, 2,..., 8) (A, 2,..., 8) -1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced Byte ound5 C Unbalanced Byte Fig. 8. ound function of Camellia-4 4 ome Attacks In this section, we construct the attacks on Camellia without pre-, post- whitening and F/F 1 function. The influences of F/F 1 function are discussed in section Variant quare Attack The 6-round variant quare attack use the property of Eq.(8), which is derives from Eq.(7), and use the structure of Camellia-4. This attack can be described by the following steps. (s 1 () (s( X (7i) (6i)) X (7i) C i )=0, C i is a constant, i 1. (8) F t tep 1: elect the laintext sets {} t as {} t = F t, 1 t 3, calculate the values of (X(7),X (7)) and record them, which will be used in following steps. tep 2: Guess k (65) and C 5, then check whether Eq.(8) is satisfied or not, where the laintext set is F 1. If Eq.(8) is satisfied, record the values of k (65) and C 5 that may be the correct pair. tep 2 is ended until all possible values are checked. tep 3: For all correct pairs from step 2, checks whether Eq.(8) is satisfied or not, where the laintext set are F t, 2 t 3. (γ t does not influence the value of C 5 ). In this 6-round attack, the time that step 1 takes is round encryptions takes. ince Eq.(8) has additions, substitutions, and 6- round Camellia has 44 6 additions, 8 6 substitutions, the time Eq.(8) takes is nearly 6 times of that 6-round encryptions of Camellia take. In step 2, Eq.(8) repeats times. The probability of wrong key passing the checking is 2 8, so there is 2 8 pairs passing the checking in step 2, that implies the time of step
9 New Observation on Camellia 59 3and4take2 8 3 and 3 times of that 6-round encryptions take, respectively. In this 6-round attack, we only do the step 1, step 2 and step 3 one time. o the 6-round attack s complexity is The counts of selected laintexts are In 7-round attack, we add one round at the beginning, use the structure of Camellia-3 and select the input sets { X (1) } t as F t,wherek 1 and k 2 are guessing key, for that: if k 1 = k (11),k 2 = k (18) then X (1) F t X (2) F t. This 7-round attack use Eq.(9) for checking and select the T as 7, for the probability of all key bytes pass the checking is 2 8 T. The guessing step is as follows: (s 1 () (s( X (8i) (7i)) X 8i C i )=0,i 1, 1 t T }. (9) X (1) F t tep 1: Guess the values of k (11) and k (18). tep 2: For each X (1) F t calculate the result of {X (8) } t. tep 3: Guess k (75) and C 5, and record the values that pass the checking Eq.(9),where the laintext set is F 1. tep 4: For all correct pairs from step 3, checks whether Eq.(9) is satisfied or not, where 2 t 7, if all the pairs can t pass the check, go to step 1. The attacking complexity is 2 16 ( ) The complexity of 256-Camellia is , since its 1st round key bits are the same as 7th round key bits. The 8-round attack is similar to 7-round attack, the only difference is that X () (8i) is unknown. Getting X () (8i) from X (9) needs five 8th round key bytes, then complexity of this attack is 2 16 ( ) ,the complexity of 256-Camellia becomes In 9-round attack, we add one round at the beginning and use the structure of Camellia-4, where the selected special plaintexts should satisfy the properties of that { X (2) } t is a Γ set with the from of F t. o we select { X (1) } t as F t,where k 1,...,k 9 are guessing key.. The complexity of this attack is 2 72 ( ) In 256-Camellia, the 2nd round key bytes are the same as 8th round key bytes, so the complexity of the attack is In 128-Camellia 1st round key bytes are the same as 9th round key, so the complexity is 2 90.In 10-round attack, we add 1 round at the end and use the structure of Camellia-4, it will need to guess another 8 bytes key. The complexity is And attacking on 11-round Camellia, the complexity is Improved quare Attack The best result of quare attack against Camellia was given by Y.Yeom,. ark, and I. im [3]. In this paper we improved the attacking result, since Camellia-3 satisfying Eq.(4), so called Improved quare attack. The basic attack on 5-round camellia use the property of s( ˆX (65) (55)) ˆX (65) is balanced byte if the plaintext set is F t, which is illustrated in Eq.(4),
10 60 D. ei,. Chao, and. Feng and the probability of wrong key pass the checking is 2 8. The attacking details are as follows. tep 1: Choose F t, 1 t 2 as plaintext sets, calculate the values of ˆX (65) and record them. tep 2: For each possible values of (55), check whether Eq.(4) is satisfied or not, where the laintext set is F 1, and record the passed key bytes, which may be the correct key byte. Go to next step until all possible values are checked. tep 3: For all correct key bytes in step 2, checks whether Eq.(4) is satisfied or not, where the laintext set is F 2. For this 5-round attack, the time that step 1 takes equals the time that round encryptions takes. ince Eq.(4) has additions and 256 substitutions, and 5-round Camellia has 44 5 additions and 8 5 substitutions, so the time Eq.(4) takes is nearly 5 times of that 5-round Camellia encryptions take. In step 2, Eq.(4) repeats 2 8 times. The probability of wrong key passing the checking is 2 8, so there will be few passing the checking, that means the time of step 3 takes 5 times of that 5-round encryptions take. o the complexity of 5-round attack is round attack add one round at the begin and select the F t, 1 t 5 as plaintext sets and use the structure of Camellia-4. If k 1 in F t, 1 t 5 equals k (11),thens( ˆX (75) (65)) ˆX (75) is balanced byte. o in this attack for each guessing k 1 we check wether the byte s( ˆX (75) (65)) ˆX (75) is balanced or not, similar as 5-round attack. The complexity of the attack is 2 8 ( ) We extend 6 round attacks to 7-round by adding one round at the end and select the plaintexs as 6-round attack. Then to get to know ˆX (75) we have to guess 5 7th round key bytes, so the complexity is 2 8 ( ) In 8-round attack, adding one round at the beginning, use the structure of Camellia-4. The input sets { ˆX (1 } t is selected as F t, 1 t 15. The key bytes are used in attack. The complexity of the attack is 2 48 ( ) The complexity of the attack on 256-Camellia is 2 82,sincethe1stand2nd round key bytes are the same as 7th and 8th round key bytes, respectively. The complexity of the attacks on 9 and 10 rounds are and 2 212, respectively. 4.3 Improved Collision Attack Collision attack on Camellia is given by W wu[10]. We improve the attacking results, called Improved Collision attack. In 5-round attack, Eq.(10) is used for checking, which is derived from Eq.(5). s( ˆX (6i) (5i)) ˆX (6i) s( ˆX (6i) (5i)) ˆX (6i), ˆX (1), ˆX (1) F,i {6, 7}. (10) The procedure of this attack is similar to that of 5 round Improved quare attack. The time Eq.(10) takes is nearly 1/4 times that of 1-round Camellia
11 New Observation on Camellia 61 encryptions take, then the complexity of 5 round attack is /(4 5) imilarly as section 4.2, The complexities of the attack on 6,7,8,9 rounds are 2 8 ( /(6 4)) ,2 8 ( /(7 4)) , 2 48 ( /(8 4)) and 2 48 ( /(9 4)) The complexity of 9-round attack on 128-Camellia is The complexities of the attack on 256-Camellia with 7,8,9 and 10 are ,2 78.9, and Other Observations We can build a new attack on Camellia based on Eq.(6), which implies the result of s( ˆX (6i) (5i)) ˆ(X) (6i) is a active byte. We select the Λ set F as plaintext sets,then check whether s( ˆX (6i) (5i)) ˆ(X) (6i) is active byte or not for guessing key byte (5i). There is also an interesting property in Camellia-4. If we select the laintext ( X 1, X 1 ) F,then X (58) with the form of Eq.(11). X (58) = s 1(s 1 (B γ) s 2 (B γ) δ) ɛ, γ, δ, ɛ are passive, B is active (11) 5 The Influence of F/F 1 In this section, we construct the attacks on Camellia with F/F 1 function and without pre- and post-whitening. 5.1 Variant quare Attack In 7-round variant quare attack, we use the structure of Camellia-4 and select the plaintexts { X (1), X (1) } t as a series of Λ sets F t. The equation used in this attack is Eq.(12). (s 1 ( X (7i) C i )=0,i {1, 2,..., 8},t {1, 2,..., T }. (12) X (1), X (1) F t If there is a F/F 1 function in Camellia-4, we have X (7i) X (8i). Getting X (7i) from X (8i) needs to guess eight key bytes, which are used in F 1 function. Hence the attacking complexity is 2 72 ( ) , where the value of T is 21. In 128-Camellia,the complexity becomes ,since the key bytes used in F 1 function are the same as 1st round key bytes. In this 8-round attack, we add one round at the end. Then the attacking complexity is It becomes in 256-Camellia, since in 256-Camellia 2nd round key bytes are the same as 8th round key. 5.2 Improved quare Attack In 7-round Improved quare attack, we use the structure of Camellia-3 and select the { ˆX (1), ˆX (1) } as F t, and use Eq.(13) for checking. s( ˆX (8i) (7i)) ˆX (8i) =0,i {1, 2,..., 8}. (13) X (1) F
12 62 D. ei,. Chao, and. Feng If there is a F/F 1 function in Camellia-3, we have to consider the property of F( ˆX (7) ). ince the F function results a Γ set in a Γ set, wehavea conclusion that whether there is a F/F 1 or not Eq.(13) always holds. Hence the complexity of that attack is 2 48 ( ) ,thekey bytes required in this attack are {k (11), k (12), k (13), k (15), k (18), k (21), k (75) }. Table 1. The ummary of known attacks on Camellia ounds F/F 1 Methods Time 128 bit Time 256 bit Notes 5 No A 2 48 [2] 5 No A 2 16 [3] 5 No Improved A This aper 5 No Improved CA This aper 6 No A 2 56 [3] 6 No Higher Order DC 2 18 [9] 6 No Improved A 2 18 This aper 6 No Improved CA This aper 6 No Variant A This aper 7 No Truncated DC 192 [5] 7 No Higher Order DC 2 57 [9] 7 Yes A [3] 7 No Improved A This aper 7 No Improved CA This aper 7 No Variant A This aper 7 Yes Improved A This aper 7 Yes Variant A This aper 8 No Truncated DC [5] 8 No Higher Order DC [9] 8 Yes A [3] 8 Yes Improved A This aper 8 No Improved CA This aper 8 No Variant A This aper 8 Yes Improved CA ,6 This aper 8 Yes Variant A This aper 9 No Higher Order DC [9] 9 Yes A [3] 9 Yes Improved A This aper 9 No Improved CA This aper 9 No Variant A This aper 10 No Higher Order DC [9] 10 Yes Improved A This aper 10 No Improved CA This aper 10 No Variant A This aper 11 No Higher Order DC [9] 11 No Variant A This aper
13 New Observation on Camellia 63 In 8-round attack, we add one round at the end and still use Eq.(13) for checking, than the attacking procedure becomes the same as that of section 4.2. The attacks on 9-and 10-round Camellia with F function are also no difference from that of without F function, which have been described in section Conclusions Variant quare attack can break 9-round 128bit Camellia, 11-round 256 bit Camellia without F function, further more, it is faster than exhaustive key search. The conclusions can be made that key schedule and -function influence the security of Camellia and quare attack is still the best attack on Camellia. Table(1) give a summary of known attacks on Camellia. Acknowledgement. We would like to thank Vincent ijmen for his help for important comments and correctness of mistakes that improved the technical quality of the paper. The reviewer has kindly pointed out many technical problems and give suggestions in the submitted version of this draft. We would also like to thank the referees of the paper, for their constructive comments and suggestions. eferences 1.. Aoki, T. Ichikawa, M. anda, M. Matsui,. Moriai, J. Nakajima and T. Tokita.: Camellia: A 128-Bit Block Cipher uitable for Multiple latforms - Design and Analysis. In: roceedings of elected Areas in Cryptography. ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2000) Y. He and. Qing: quare Attack on educed Camellia Cipher. In: ICIC 2001, ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2001) Y.Yeom,. ark, and I. im.: On the security of Camellia against the quare attack.: In: roceed-ings of Fast oftware Encryption. ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2002) M. anda and T. Matsumoto.: ecurity of Camellia against Truncated Differential Cryptanalysis. In: roceedings of Fast oftware Encryption ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2001) ee,. Hong,. ee, J. im and. Yoon.: Truncated Differential Cryptanalysis of Camellia. In: ICIC 2001, ecture Notes in Computer cience, Vol pringer- Verlag, Berlin Heidel-berg New York (2001) M. ugita,. obara and H. Imai.: ecurity of educed Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis. In: AIACYT 2001, ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2001) T. awabata and T. aneko.: A tudy on Higher Order Differential Attack of Camellia.: The 2nd open NEIE workshop (2001).
14 64 D. ei,. Chao, and. Feng 8. J. Daemen,.. nudsen and V. ijmen.: The Block Cipher QUAE. In Fast oftware En-cryption, ecture Notes in Computer cience, Vol pringer- Verlag, Berlin Heidelberg New York (1997) Y.Hatano,H.ekine, and T.aneko.: Higher order differential attack of Camellia(II). In: roceed-ings of elected Areas in Cryptography-AC 02, ecture Notes in Computer cience, Vol pringer-verlag, Berlin Heidelberg New York (2002) W..Wu,F. D.G. Feng: Collision attack on reduced-round Camellia, cience in China eries F-Information ciences, 2005, Vol.48, No.1pp Joan Daemen and Vincent ijmen, The Design of ijndael, AE - The Advanced Encryption tandard, pringer-verlag 2002, (238 pp.). 12. Niels Ferguson,John elsey,tefan ucks,bruce chneier,mike tay,david Wagner and Doug : Improved Cryptanalysis of ijndael Whiting. In roceedings of Fast oftware Encryption-FE 00, Vol 1978, pringer-verlag, Berlin Heidelberg New York (2000)
Improved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationResearch Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4
Hindawi ecurity and Communication Networks Volume 2017, Article ID 1461520, 10 pages https://doi.org/10.1155/2017/1461520 Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher tandard
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationA Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationImpossible Boomerang Attack for Block Cipher Structures
Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationSecurity of SM4 Against (Related-Key) Differential Cryptanalysis
Security of SM4 Against (Related-Key) Differential Cryptanalysis Jian Zhang 1,2, Wenling Wu 1(B), and Yafei Zheng 1 1 Institute of Software, Chinese Academy of Sciences, Beijing 100190, China {zhangjian,wwl,zhengyafei}@tca.iscas.ac.cn
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationHuman-readable Proof of the Related-Key Security of AES-128
Human-readable Proof of the Related-Key ecurity of AE-128 Khoongming Khoo 1, Eugene Lee 2, Thomas Peyrin 3,4,5 and iang Meng im 3 1 DO National Laboratories, ingapore kkhoongm@dso.org.sg 2 Raffles Institution,
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationCryptanalysis of Hummingbird-2
Cryptanalysis of Hummingbird-2 Kai Zhang, Lin Ding and Jie Guan (Zhengzhou Information Science and Technology Institute, Zhengzhou 450000, China) Abstract: Hummingbird is a lightweight encryption and message
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationImproved S-Box Construction from Binomial Power Functions
Malaysian Journal of Mathematical Sciences 9(S) June: 21-35 (2015) Special Issue: The 4 th International Cryptology and Information Security Conference 2014 (Cryptology 2014) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationImproved Upper Bounds of Differential and Linear Characteristic Probability for Camellia
Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia Taizo Shirai, Shoji Kanamaru, and George Abe Sony Corporation 7-35 Kitashinagawa 6-chome, Shinagawa-ku, Tokyo, 141-0001
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationImproved Slide Attacks
Improved Slide Attacs Eli Biham 1 Orr Dunelman 2 Nathan Keller 3 1 Computer Science Department, Technion. Haifa 32000, Israel biham@cs.technion.ac.il 2 Katholiee Universiteit Leuven, Dept. of Electrical
More informationCiphertext-only Cryptanalysis of a Substitution Permutation Network
Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationKey classification attack on block ciphers
Key classification attack on block ciphers Maghsood Parviz Mathematical Sciences Department Sharif University of Technology Tehran, IAN maghsoudparviz@alum.sharif.ir Saeed Mirahmadi Pooyesh Educational
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationCryptanalysis of a Multistage Encryption System
Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Jiqiang Lu 1, Wun-She Yap 1,2, and Yongzhuang Wei 3,4 1 Institute for Infocomm Research, Agency for Science, Technology and Research
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationMenu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation
Lecture : Use and nalysis Menu Today s manifest: on line only Review Modes of Operation ttacks CS: Security and rivacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationMASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES
Chapter X MASKED INVERSION IN GF( N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES SHAY GUERON 1,, ORI PARZANCHEVSKY 1 and OR ZUK 1,3 1 Discretix Technologies, Netanya, ISRAEL
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationNew Block Cipher: ARIA
This is the accepted version of LNCS 97 pp.43-445 (004, presented at ICISC 003. https://doi.org/0.007/978-3-540-469-6_3 New Block Cipher: ARIA Daesung Kwon, Jaesung Kim, Sangwoo Park, Soo Hak Sung 3, Yaekwon
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationA new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More information