Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Size: px
Start display at page:

Download "Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis"

Transcription

1 Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Jiqiang Lu 1, Wun-She Yap 1,2, and Yongzhuang Wei 3,4 1 Institute for Infocomm Research, Agency for Science, Technology and Research 1 Fusionopolis Way, #19-1 Connexis, Singapore lvjiqiang@hotmail.com, wsyap@i2r.a-star.edu.sg 2 Faculty of Information Science and Technology, Multimedia University, Melaka 7545, Malaysia 3 Guilin University of Electronic Technology, Guilin City, Guangxi Province 5414, P.R. China 4 State ey Laoratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 119, P.R. China walker wei@msn.com Astract. The MISTY1 lock cipher has a 64-it lock length, a 128-it user key and a recommended numer of 8 rounds. It is a Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, and an ISO international standard. Despite of considerale cryptanalytic efforts during the past fifteen years, there has een no pulished cryptanalytic attack on the full MISTY1 cipher algorithm. In this paper, we present related-key differential and related-key amplified oomerang attacks on the full MISTY1 under certain weak key assumptions: We descrie weak keys and a related-key differential attack on the full MISTY1 with a data complexity of 2 61 chosen ciphertexts and a time complexity of encryptions; and we also descrie 2 92 weak keys and a related-key amplified oomerang attack on the full MISTY1 with a data complexity of chosen plaintexts and a time complexity of encryptions. For the very first time, our results exhiit a cryptographic weakness in the full MISTY1 cipher (when used with the recommended 8 rounds), and show that the MISTY1 cipher is distinguishale from a random function and thus cannot e regarded to e an ideal cipher. ey words: Block cipher, MISTY1, Differential cryptanalysis, Amplified oomerang attack, Related-key cryptanalysis, Weak key. 1 Introduction The lock cipher MISTY1 [33] was designed y Matsui and pulished in It has a 64-it lock length, a 128-it user key, and a variale numer of rounds; the officially recommended numer of rounds is 8. We consider the version of MISTY1 that uses the recommended 8 rounds in this paper, which is also the most widely discussed version so far. MISTY1 has a Feistel structure with a total of ten key-dependent logical functions FL two FL functions at the eginning plus two inserted after every two rounds. It ecame a CRYPTREC [1] e-government recommended cipher in 22, and a NESSIE [35] selected lock cipher in 23, and was adopted as an ISO [15] international standard in 25 and 21. MISTY1 has attracted extensive attention since its pulication, and its security has een analysed against a wide range of cryptanalytic techniques [1,12,25,26,29,32,38 42]. In summary, the main previously pulished cryptanalytic results on MISTY1 are as follows. In 28, Dunkelman and eller [12] descried impossile differential attacks [3, 23] on 6-round MISTY1 with FL functions and 7-round MISTY1 without FL functions. In the This work was partially supported y the Natural Science Foundation of China (No ).

2 2 Tale 1. Main cryptanalytic results on MISTY1 #Rounds FL #eys Attack Type Data Time Source 6 (1 6) yes Impossile differential 2 51 CP Enc. [12] 6 (1 6) yes Higer-order differential CP Enc. [4, 41] 6 (3 8) yes Integral 2 32 CC Enc. [38] 7 (1 7) yes Higer-order differential CP Enc. [41, 42] 7 (2 8) yes 2 73 Related-key amplified oomerang 2 54 CP Enc. [29] 8 (1 8) yes 2 9 Related-key amplified oomerang 2 63 CP 2 7 Enc. [9] 8 (1 8) yes 2 15 Related-key differential 2 63 CC Enc. [11] full yes Related-key differential 2 61 CC Enc. Sect Related-key amplified oomerang CP Enc. Sect. 5 : Exclude the first/last two FL functions, : There is a flaw, see Section 5 for detail. same year, Lee et al. [29] gave a related-key amplified oomerang attack [4, 14, 2] on 7-round MISTY1 with FL functions under a class of 2 73 weak key 1, and Tsunoo et al. [41] presented a higher-order differential attack [22, 27] on 6 and 7-round MISTY1 with FL functions (without making a weak key assumption). In 29, Sun and Lai [38] presented an integral attack on 6-round MISTY1 with FL functions, following nudsen and Wagner s attack [24] on 5-round MISTY1. Most recently, following Lee et al. s work, Chen and Dai [9] presented a 7-round related-key amplified oomerang distinguisher with proaility under a class of 2 9 weak keys and gave a related-key amplified oomerang attack on the 8-round MISTY1 with only the first 8 FL functions; and in [11] they descried a 7-round related-key differential characteristic with proaility 2 6 under a class of 2 15 weak keys and finally presented a related-key differential attack on the 8-round MISTY1 with only the last 8 FL functions. So far, there has een no pulished (non-generic) cryptanalytic attack on the full 8 rounds of MISTY1 yet. Related-key cryptanalysis [2, 21] assumes that the attacker knows the relationship etween one or more pairs of unknown keys; certain current real-world applications may allow for practical related-key attacks, for example, key-exchange protocols and hash functions [17]. Related-key differential cryptanalysis [17] takes advantage of how a specific difference in a pair of inputs of a cipher or function can affect a difference in the pair of outputs of the cipher or function, where the pair of outputs are otained y encrypting the pair of inputs using two different keys with a specific difference. The related-key amplified oomerang attack [4, 14, 2] is a comination of related-key cryptanalysis and the amplified oomerang attack [18]; the amplified oomerang attack is a variant of the oomerang attack [43]. Remarkaly, under certain weak key assumptions the related-key differential cryptanalysis technique was used in 29 y Biryukov et al. [8] to otain the the first cryptanalytic attack on the full version of the AES [36] lock cipher with 256 key its; and the related-key amplified oomerang attack technique was used to yield the first cryptanalytic attacks on the full versions of oth AES with 192/256 key its and ASUMI [16] a variant of MISTY1, without using a weak key assumption, y Biham et al. [5, 13] and Biryukov et al. [7], respectively. In this paper, for the very first time we show that the full MISTY1 cipher can e distinguished from a random function (in the related-key model): Building on Chen and Dai s work descried in [9,11], we present related-key differential and amplified oomerang attacks on the full MISTY1 cipher under certain weak key assumptions. First, we spot some flaws in Dai and Chen s differential cryptanalytic results presented in [11], and find that there are only aout weak keys in their weak key class such that their 7-round 1 A weak key is defined as a key under which the concerned cipher is more vulnerale to e attacked.

3 related-key differential holds, ut with proaility 2 58 ; and we oserve that there are also a different class of weak keys under which there exists a 7-round related-key differential with proaility We use the 7-round related-key differentials to reak the full MISTY1. Finally, we find that under the class of 2 9 weak keys descried in [9], Chen and Dai s 7-round related-key amplified oomerang distinguisher actually has a proaility of 2 116, instead of 2 118, which can e used to attack the full MISTY1; and similar results hold for three other classes of weak keys of the same size. Tale 1 summarises our and previously pulished main cryptanalytic results on MISTY1, where CP and CC refer respectively to the numers of chosen plaintexts and chosen ciphertexts, Enc. refers to the required numer of encryption operations of the relevant version of MISTY1, and yes means with FL functions. The remainder of the paper is organised as follows. In the next section, we descrie the notation, the MISTY1 cipher and the related-key amplified oomerang attack. In Sections 3 and 4 we review Chen and Dai s cryptanalytic results and give our differential and amplified oomerang cryptanalytic results on MISTY1, respectively. Section 5 concludes this paper. 3 2 Preliminaries In this section we give the notation, and riefly descrie the MISTY1 cipher and the related-key amplified oomerang attack. 2.1 Notation The its of a value are numered from left to right, starting with 1. We use the following notation throughout this paper. itwise logical exclusive OR (XOR) itwise logical AND itwise logical OR it string concatenation functional composition. When composing functions X and Y, Y X denotes the function otained y first applying X and then Y 2.2 The MISTY1 Block Cipher MISTY1 [33] employs a complex Feistel structure with a 64-it lock length and a 128-it user key. It uses the following three functions FL, FI, FO, which are respectively depicted in Fig. 1-(a), Fig. 1-() and Fig. 1-(c) with their respective sukeys to e descried elow. FL : {, 1} 32 {, 1} 32 {, 1} 32 is a key-dependent linear function. If X = (X L X R ) is a 32-it lock and Y = (Y 1 Y 2 ) is a 32-it lock of two 16-it words Y 1, Y 2, then FL(X, Y ) = (X L ((X R (X L Y 1 )) Y 2 ), X R (X L Y 1 )). FI : {, 1} 16 {, 1} 16 {, 1} 16 is a non-linear function. If X = (X L (9 its) X R (7 its)) and Y = (Y 1 (7 its) Y 2 (9 its)) are 16-it locks, then FI(X, Y ) is computed as follows, where XL, XR,, XL 3, XR 3 are 9 or 7-it variales, S 9 is a 9 9-it ijective S-ox, S 7 is a 7 7-it ijective S-ox, the function Extnd extends from 7 its to 9 its y concatenating two zeros on the left side, and the function Trunc truncates two its from the left side.

4 4 I ij2 FL 1 FL 2 L i1 L i2 Extnd Trunc Extnd S 9 S 7 S 9 FO 1 FO 2 (a) : FL i I ij1 () : FI ij FL 3 FL 4 FO 3. FL 9 FL 1 O i1 O i2 O i3 O i4 FI i1 FI i2 FI i3 (c) : FO i (d) : MISTY1 Fig. 1. MISTY1 and its components 1. XL = X L, XR = X R ; 2. XL 1 = XR, XR 1 = S 9 (XL ) Extnd(XR ); 3. XL 2 = XR 1 Y 2, XR 2 = S 7 (XL 1 ) Trunc(XR 1 ) Y 1 ; 4. XL 3 = XR 2, XR 3 = S 9 (XL 2 ) Extnd(XR 2 ); 5. FI(X, Y ) = (XL 3 XR 3 ). FO : {, 1} 32 {, 1} 64 {, 1} 48 {, 1} 32 is a non-linear function. If X = (X L X R ) is a 32-it lock, Y = (Y 1 Y 2 Y 3 Y 4 ) is a 64-it lock of four 16-it words Y 1, Y 2, Y 3, Y 4, and Z = (Z 1 Z 2 Z 3 ) is a 48-it lock of three 16-it words Z 1, Z 2, Z 3, then FO(X, Y, Z) is defined as follows, where XL, XR,, XL 3, XR 3 are 16-it variales. 1. XL = X L, XR = X R ; 2. For j = 1, 2, 3: XL j = XR j 1, XR j = FI(XL j 1 Y j, Z j ) XR j 1 ; 3. FO(X, Y, Z) = (XL 3 Y 4 ) XR 3. MISTY1 uses a total of ten 32-it sukeys L 1, L 2,, L 1 for the FL functions, twenty-four 16-it sukeys I ij for the FI functions, and thirty-two 16-it sukeys O il for the FO functions, (1 i 8, 1 j 3, 1 l 4), all derived from a 128-it user key. The key schedule is as follows. 1. Represent as eight 16-it words = ( 1, 2,, 8 ). 2. Generate a different set of eight 16-it words 1, 2,, 8 y i = FI( i, i+1 ), for i = 1, 2,, 8, where the suscript i + 1 is reduced y 8 when it is larger than 8, (similar for some sukeys in the following step). 3. The sukeys are as follows. O i1 = i, O i2 = i+2, O i3 = i+7, O i4 = i+4 ; I i1 = i+5, I i2 = i+1, I i3 = i+3; L i = i+1 i+1 +6, for i = 1, 3, 5, 7; otherwise, L i = i +2 i

5 5 P α P P α P E B E D E A E C β γ γ β E 1 B E 1 D E 1 A E 1 C C C δ δ C C Fig. 2. A related-key amplified oomerang distinguisher MISTY1 takes a 64-it plaintext P as input, and has a variale numer of rounds; the recommended numer of rounds is 8. Its encryption procedure is as follows, where L, R,, L i, R i are 32-it variales, O j = (O j1 O j2 O j3 O j4 ), and I j = (I j1 I j2 I j3 ), (j = 1, 2,, 8); see Fig. 1-(d). 1. (L R ) = (P L P R ). 2. For i = 1, 3, 5, 7: R i = FL(L i 1, L i ), L i = FL(R i 1, L i+1 ) FO(R i, O i, I i ); R i+1 = L i, L i+1 = R i FO(L i, O i+1, I i+1 ). 3. Ciphertext C = FL(R 8, L 1 ) FL(L 8, L 9 ). We refer to the 8 rounds in the aove description as Rounds 1, 2,, 8, respectively. 2.3 The Related-ey Amplified Boomerang Attack A related-key amplified oomerang attack is ased on a related-key amplified oomerang distinguisher, which treats a lock cipher E : {, 1} n {, 1} k {, 1} n as a cascade of two su-ciphers E = E 1 E and requires that there exists a related-key differential α β with proaility p for E : Pr X {,1} n[e A (X)E B (X α) = β] = Pr X {,1} n[e C (X) E D (X α) = β] = p, and a related-key differential γ δ with proaility q for E 1 : Pr X {,1} n[e 1 A (X) E 1 C (X γ) = δ] = Pr X {,1} n[e 1 B (X) E 1 D (X γ) = δ] = q, where the four unknown user keys A, B, C, D satisfy B = A, C = A 1 and D = C, with and 1 eing two known differences. See Fig. 2. A quartet consisting of two randomly chosen pairs of plaintexts (P, P = P α) and (P, P = P α) satisfies E A (P ) E B (P ) = E C (P ) E D (P ) = β with proaility p 2. Assuming that the intermediate values after E distriute uniformly over all possile values, we get E A (P )E C (P ) = γ with proaility 2 n. Once this occurs, then E B (P )E D (P ) = γ holds with proaility 1, for E B (P )E D (P ) = (E A (P ) E B (P )) (E C (P ) E D (P )) (E A (P ) E C (P )) = β β γ = γ. As a result, the proaility that the quartet satisfies E A (P ) E C (P ) = E B (P ) E D (P ) = δ is expected to e aout (Pr( α β)) 2 2 n (Pr( γ δ)) 2 = 2 n p 2 q 2 ; while for a random cipher, the proaility is aout 2 n 2 = 2 2n. Therefore, if p q > 2 n/2, the related-key amplified oomerang distinguisher can distinguish etween E and a random cipher given a sufficient numer of plaintext pairs.

6 6 Note that in addition to those assumptions [28] used in differential cryptanalysis [6], the related-key amplified oomerang attack requires another assumption aout independence, and we refer the reader to [19,34] for a more formal discussion of the assumptions as well as the attack technique. These assumptions mean that, in some cases, the proaility of a related-key amplified oomerang distinguisher may e overestimated or underestimated, and so is the success proaility of the attack. Anyway, it seems reasonale to take the worst case assumption from the point of the user of a cipher. An application of such an attack was given y Dunkelman et al. [13] to reak the full ASUMI cipher with a practical complexity, and its validity was experimentally verified Weak eys of the Full MISTY1 for a Related-ey Differential Attack In this section, we first review Dai and Chen s class of 2 15 weak keys and their 7-round related-key differential characteristic with proaility 2 6 under the class of weak keys. Then, we show that there are actually only weak keys such that the 7-round relatedkey differential characteristic holds, and it has a proaility of Next we devise a related-key differential attack on the full MISTY1 when the user key used is a weak key from the class of weak keys. At last we descrie another class of weak keys under which similar results hold. 3.1 A Class of 2 15 Weak eys due to Dai and Chen First define three constants which will e used susequently: A 7-it constant a = 1, a 16-it constant = 11, and another 16-it constant c = 1, all in inary notation. Oserve that = (a 2 a) and c = (a 9 ). Let A, B e two 128-it user keys defined as follows: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ). By the key schedule of MISTY1 we can get the corresponding eight 16-it words for A, B, which are denoted as follows. A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8). Then, the class of weak keys is defined to e the set of all possile values for ( A, B ) that satisfy the following 1 conditions, where 6,12 denotes the 12-th it of 6, and similar for 7,3, 7,12, 8,3, 4,3, 4,12, 7, = c; (1) 5 5 = ; (2) 6 6 = c; (3) 6,12 = ; (4) 7,3 = 1; (5) 7,12 = ; (6) 8,3 = 1; (7) 4,3 = 1; (8) 4,12 = 1; (9) 7,3 =. (1)

7 Now let us analyse the numer of the weak keys. First oserve that when Condition (1) holds, then Condition (2) holds with certainty. Note that 4 = FI( 4, 5 ), 6 = FI( 6, 7 ), 6 = FI( 6, 7), 7 = FI( 7, 8 ). By performing a computer search, we get {( 4, 5 ) Conditions (8) and (9)} = 2 3 ; {( 6, 7, 8 ) Conditions (1), (3), (4), (5), (6), (7) and (1)} = Therefore, Dai and Chen [11] concluded that there are a total of 2 15 possile values for A satisfying the aove 1 conditions, and thus there are 2 15 weak keys Dai and Chen s 7-Round Related-ey Differential Characteristic Under the class of 2 15 weak keys ( A, B ) descried in Section 3.1, Dai and Chen descried the following 7-round related-key differential characteristic α β: ( 32 c) ( 32 c 16 ) with proaility 2 6 for Rounds 2 8, where 32 represents a inary string of 32 zeros, and so on. In Fig. 5 in Appendix A we illustrate the related-key differential characteristic in detail, where R 4,3 denotes the 3-rd it of R 4 (the right half of the output of Round 4), and R 4,12 denotes the 12-th it of R 4. As a result, Dai and Chen presented a related-key differential attack on 8-round MISTY1 without the first two FL functions, y conducting a key recovery on FO 1 in a way similar to the early aort technique for impossile differential cryptanalysis introduced in [32] 3.3 A Corrected Class of Weak eys and Improved 7-Round Related-ey Differential We first focus on the FI 73 function in Dai and Chen s 7-round related-key differential characteristic, where the proaility is Oserve that I 73 = 2. Dai and Chen assumed a random distriution when calculating the proaility of the differential c c for FI 73, and thus otained a proaility value of 2 16, (An alternative explanation is to consider the two S 9 S-oxes, each having a proaility value of 2 8 ). However, intuitively we should make sure that a weak key ( A, B ) should also satisfy the condition that the differential c c is a possile differential for FI 73 ; otherwise, the differential c c would have a zero proaility, and the 7-round differential characteristic would e flawed. Thus, we should put the following additional condition when defining a set of weak keys: Pr FI(, 2 )( c c) >. (11) Motivated y this, we perform a computer programming to test the numer of 2 satisfying Condition (11), and we find that the numer of 2 satisfying Condition (11) is equal to As a consequence, we know that the numer of ( 2, 3 ) satisfying Condition (11) is 2 31, thus not all 2 32 possile values for ( 2, 3 ) meet Condition (11), so this is really a flaw in Dai and Chen s results. Furthermore, we find that for each satisfying 2, there are exactly two pairs of inputs to FI 73 which follow the differential c c, that is to say, the proaility Pr FI(, 2 )( c c) = 2 15, twice as large as the proaility value 2 16 used y Dai and Chen. Next we focus on the FI 21 function in Dai and Chen s 7-round related-key differential characteristic, where the proaility is 2 16, and I 21 = 7. Likewise, we should make sure that a weak key ( A, B ) should also satisfy the condition that the differential c is a possile differential for FI 21 ; otherwise, the differential c would have

8 8 a zero proaility, and the 7-round differential characteristic would e flawed. Similarly, we should put another condition when defining a set of weak keys: Pr FI(, 7 )( c) >. (12) By performing a computer programming we find that the numer of 7 satisfying Condition (12) is ; on the other hand, the numer of 7 satisfying Conditions (1), (3), (4), (5), (6), (7) and (1) is 2 15 (and for each satisfying 7 there are 2 12 possile values for ( 6, 8)), so not all the possile values of 7 satisfying Conditions (1), (3), (4), (5), (6), (7) and (1) satisfy Condition (12). After a further test, we get that the numer of 7 satisfying Conditions (1), (3), (4), (5), (6), (7), (1) and (12) is As a result, we know that the numer of ( 6, 7, 8 ) satisfying Conditions (1), (3), (4), (5), (6), (7), (1) and (12) is = , so this is another flaw in Dai and Chen s results. Furthermore, we have that Pr FI(, 7 )( c) is 2 15 for each of 96 satisfying values for 7, 2 14 for each of 2432 satisfying values for 7, and for each of 128 satisfying values for In summary, there are approximately weak keys satisfying Conditions (1) (12), and the 7-round related-key differential α β has a minimum proaility of 2 58 under a weak key ( A, B ). In particular, we have the following result. Proposition 1. In the class of weak keys satisfying Conditions (1) (12), 1. there are 2 16 possile values for 1, 2 16 possile values for 3, and 2 16 possile values for 5 ; 2. there are possile values for ( 6, 7, 8 ); in particular there are a total of possile values for 7, and for every possile value of 7 there are 212 possile values for ( 6, 8); 3. there are a total of 2 8 possile values for 2,8 16, 216 possile values for 3, and 28 possile values for 4,8 16, where 2,8 16 denotes its (8,, 16) of 2 and 4,8 16 denotes its (8,, 16) of 4 ; 4. Pr FI(, 7 )( c) 2 15, Pr FI(, 2 )( c c) = Attacking the Full MISTY1 under the Class of Weak eys The 7-round related-key differential with proaility 2 58 can e used to conduct a relatedkey differential attack on the full MISTY1 when the user key used is a weak key from the class of weak keys. Preliminary Results. We first concentrate on the propagation of the input difference α(= 32 c) of the 7-round differential through the preceding Round 1, including the FL 1 and FL 2 functions, under ( A, B ); see Fig. 3. Under ( A, B ), y the key schedule of MISTY1 we have O 11 = 1 =, O 12 = 3 =, O 13 = 8 =, O 14 = 5 =, I 11 = 6 = c, I 12 = 2 =, I 13 = 4 =, L 1 = ( 1 7) =, L 2 = ( 3 5 ) =. As depicted in Fig. 3, the right half of α is ( 16 c), so the FI 11 function has a zero input difference; however since O 11 = and I 11 = c, the output difference of FI 11 is with proaility 1. The input difference of the FI 12 function is c, thus the first S 9 function

9 in FI 12 has an input difference a 2, and we assume its output difference is A {, 1} 9 ; the S 7 function in FI 12 has a zero input and output difference. The second S 9 function in FI 12 has an input difference A, and we assume its output difference is B {, 1} 9. As a result, the FI 12 function has an output difference X = (Trunc(A) (B ( 2 Trunc(A)))). A simple computer programming reveals that Trunc(A) can take all 2 7 possile values, and thus we assume that X can take all values in {, 1} 16. Since the input difference of the FI 13 function is 9 a, the first S 9 function in FI 13 has a zero input difference. The S 7 function in FI 13 has an input difference a, and we assume its output difference is D {, 1} 7, which can take only 2 6 possile values. The second S 9 function in FI 13 has an input difference 2 a, and we assume its output difference is E {, 1} 9. Consequently, the FI 13 function has an output difference Y = ((a D) (E ( 2 (a D)))), and it can take aout 2 15 values in {, 1} 16 ; we denote the set of 2 15 values y S d. The FL 1 function has an output difference ( 16 c), so its input difference can only e 32 its {}}{ of the form??, which will e denoted y η = (η L, η R ) in the following descriptions, where the question marker? represents an indeterminate it; and when the first question marker takes a zero value, the second question marker can take only 1, that is η has only three possile values, (The specific form depends on the values of the two sukey its 1,3 and 7,3 ). The FL 2 function has an output difference (X c) (X Y ( 9 a)), so its input difference is indeterminate, denoted y? in Fig. 3. From the aove analysis we can see that the sukeys I 121 and I 131 do not affect the values of X and Y, and thus they are not required when checking whether a candidate plaintext pair generates the input difference α = ( 32 c) of the 7-round related-key differential. Further, as 3 = FI( 3, 4 ), 4 = FI( 4, 5 ), 6 = FI( 6, 7 ) and 7 = FI( 7, 8 ), we have the following result. Proposition 2. Only the sukeys ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ) are required when checking whether a candidate plaintext pair produces the input difference α = ( 32 c) of the 7-round related-key differential. 9 Attack Procedure. We first precompute two hash tales T 1 and T 2. Oserve that from the left halves of a pair of plaintexts we only need ( 1, 3, 2,8 16 ) when computing the output difference X of the FI 12 function and only need ( 1, 6, 7, 8, 4,8 16 ) when computing the output difference Y of the FI 13 function. To generate T 1 and T 2, we do the following procedure under every 32-it value x = (x L x R ). 1. For every possile 1 : (a) Compute Z = (x L 1 ) ((x L η L ) 1 ) η R, and proceed to the following steps only when Z = c. () For every possile ( 3, 2,8 16 ), compute the output difference of FI 12 as X. 2. Store all satisfying ( 1, 3, 2,8 16 ) into Tale T 1 indexed y (x, η, X). 3. For every possile 7 : (a) Compute W = η L (((x L 1 ) x R ) 7 ) (((x L 1 ) x R c) 7 ), and proceed to the following steps only when W =. () For every possile ( 6, 8, 4,8 16 ), compute the output difference of FI 13 as Y. 4. Store the values of ( 6, 7, 8 ) corresponding to all satisfying ( 6, 7, 8) into Tale T 2 indexed y (x, η, Y, 1, 4,8 16 ). There are 2 16 possile values for 1, 2 16 possile values for 3, 2 8 possile values for 2,8 16, and 3 possile values for η. For a fixed (x, η, X), on average there are

10 1 32 its {}}{ η =??? c (X c) (X Y ( 9 a)) 3 5 c 9 a X ( 9 a) X Y ( 9 a) 1 S 9 I 112 = S7 S 9 I 111 = a 3 S 9 I 122 S7 S 9 I 121 X 8 S 9 I 132 S7 I 131 S 9 Y 5 X ( 9 a) c S 9 a 2 A I 122 A Trunc(A) I 132 X = (Trunc(A) (B ( 2 a 2 a a D Trunc(A)))) S7 S 9 B S 9 S7 S 9 I 121 D E I 131 Y = ((a D) (E ( 2 (a D)))) Fig. 3. Propagation of α through the inverse of Round 1 with FL 1 and FL = 2 23 satisfying values for ( 1, 3, 2,8 16 ) in T 1. The precomputation for T 1 takes aout FI computations, and T 1 requires a memory of aout ytes. There are possile values for 7, 212 possile values for ( 6, 8), 2 8 possile values for 4,8 16, and 215 possile values for Y. For a fixed (x, η, Y, 1, 4,8 16 ), on average there are = satisfying values for ( 6, 7, 8) in T 2. The precomputation for T 2 takes aout FI computations, and T 2 requires a memory of aout ytes. Note that we can use several tricks to optimise the procedure to reduce the computational complexity for generating the two tales, ut anyway it is negligile compared with the computational complexity of the following online attack procedure. We devise the following attack procedure to reak the full MISTY1 when a weak key is used. 1. Initialize zero to an array of counters corresponding to all the possile values for ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ). 2. Choose 2 6 ciphertext pairs (C, C = C ( 32 c 16 )). In a chosen-ciphertext attack scenario, otain the plaintexts for the ciphertexts C, C under A, B, respectively, and we denote y P = (P L L P L R, P R L P R R ) the plaintext for ciphertext C encrypted under A, y P = (P L L P L R, P R L P R R ) the plaintext for ciphertext C encrypted under B. 3. Check whether a plaintext pair (P, P ) meets the condition (P L L P L R )(P L L P L R ) = η y first checking the 3 it positions with a zero difference and then checking the remaining two it positions. eep only the satisfying plaintext pairs. 4. For every remaining plaintext pair (P, P ), do the following su-steps. (a) Guess a possile value for ( 3, 5), and compute (X, Y ) such that (X c) (X Y ( 9 a)) = FL(P R L P R R, 3 5 ) FL(P R L P R R, 3 5 ). Execute the next steps only if Y S d ; otherwise, repeat this step with another sukey guess.

11 () Access Tale T 1 at entry (P L L P L R, η, X) to get the satisfying values for ( 1, 3, 2,8 16 ). (c) For each satisfying value for ( 1, 3, 2,8 16 ), retrieve 4 from the equation 3 = FI( 3, 4 ), compute 4 = FI( 4, 5 ), and access Tale T 2 at entry (P L L P L R, η, Y, 1, 4,8 16 ) to get the satisfying values for ( 6, 7, 8 ). (d) Increase 1 to each of the counters corresponding to the otained values for ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ). 5. For a value of ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ) whose counter numer is equal to or larger than 3, exhaustively search the remaining 7 key its with two known plaintext-ciphertext pairs. If a value of ( 1, 2,, 8 ) is suggested, output it as the user key of the full MISTY1. 11 Attack Complexity. The attack requires = 2 61 chosen ciphertexts. In Step 3, only palintext pairs are expected to satisfy the condition, and it takes aout 2 6 memory accesses to otain the satisfying palintext pairs. Step 4(a) has a time complexity of aout = FL computations. In Step 4(), for a plaintext pair and a possile value for ( 3, 5), on average we otain 2 23 possile values for ( 1, 3, 2,8 16 ), as discussed in the procomputation phase; due to the filtering condition in Step 4(a), Step 4() has a time complexity of aout = memory accesses (if conducted on a 64-it computer). In Step 4(c), for a plaintext pair and a possile value for ( 1, 3, 5, 2,8 16, 3 ), on average we otain possile values for ( 6, 7, 8 ), (as discussed in the procomputation phase), thus Step 4(c) has a time complexity of aout = memory accesses. Step 4(d) has a time complexity of aout = memory accesses, where the factor 2 represents that a single operation requires two memory accesses when conducted on a 64-it computer. The proaility that the counter for a wrong ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ) has a numer equal to or larger than 3 is approximately 2 6 i=3 [( ) 2 6 i (2 64 ) i ( ) 26 i ] Thus, it is expected that there are a total of = wrong values of ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ) whose counters have a numer equal to or larger than 3. Thus it requires trial encryptions to check them in Step 5. In Step 5, a wrong value of ( 1, 2,, 8 ) is suggested with proaility = 2 128, so the numer of suggested values for ( 1, 2,, 8 ) is expected to e = 2 4.1, which is rather low. Thus, the time complexity of the attack is dominated y Steps 4(c), 4(d) and 5. On a general 64-it personal computer (with Intel Xeon Processor E563 running on Uuntu 1.4), we check that a full encryption using an optimised MISTY1 implementation twice as fast as the one given in [37] y the cipher designer equals aout 2 12 memory accesses in terms of time. Therefore, the attack has a total time complexity of aout MISTY1 encryptions. The counter for the correct key has an expected numer of = 4, and the proaility that the counter for the correct key has a numer equal to or larger than 3 is approximately 2 6 i=3 [( ) 2 6 i (2 58 ) i ( ) 26 i ].76. Therefore, the related-key differential attack has a success proaility of 76%. The memory complexity of the attack is dominated y the space for the array of counters, which is ytes. It is worthy to note that there exist time-memory tradeoff versions to the aove attack.

12 Another Class of Weak eys In the aove su-sections we have descried a class of weak keys and a related-key differential attack on the full MISTY1 under a weak key. However, we oserve that there exists another class of weak keys under which similar results hold. The new weak key class is otained y setting 7,3 = 1, which is further classified into two su-classes y the possile values of the sukey it 1,3. This will affect only the FL 1 function in the 7-round related-key differential, ut the output difference of FL 1 will e fixed once 1,3 is given, that is, the right half of the output difference of the resulting 7-round relatedkey differential will e c c when 1,3 = 1, and 16 c when 1,3 =. Thus, y choosing a numer of ciphertext pairs with a corresponding difference we can conduct a similar attack on the full MISTY1 under every su-class of weak keys. In total, we have weak keys under which a related-key differential attack can reak the full MISTY Weak eys of the Full MISTY1 for a Related-ey Amplified Boomerang Attack In this section, we first review Chen and Dai s class of 2 9 weak keys and their 7-round related-key amplified oomerang distinguisher with proaility Next, we descrie a slight improvement to Chen and Dai s 7-round related-key amplified oomerang distinguisher, which has a proaility of 2 116, and then present a related-key amplified oomerang attack on the full MISTY1 under the class of 2 9 weak keys. Finally, we descrie three other classes of 2 9 weak keys under which there exist similar results. 4.1 A Class of 2 9 Weak eys due to Chen and Dai First define the same three constants a,, c as used in Section 3.1, that is a 7-it constant a = 1, a 16-it constant = 11, and another 16-it constant c = 1, all in inary notation. Let A, B, C, D e four 128-it user keys defined as follows: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ), C = ( 1, 2, 3, 4, 5, 6, 7, 8 ), D = ( 1, 2, 3, 4, 5, 6, 7, 8 ). By the key schedule of MISTY1 we can get the corresponding eight 16-it words for A, B, C, D, which are denoted as follows. A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8), C = ( 1, 2, 3, 4, 5, 6, 7, 8), D = ( 1, 2, 3, 4, 5, 6, 7, 8). Then, the class of weak keys is defined to e the set of all possile values for ( A, B, C, D ) that satisfy the following 12 conditions, where 5,3 denotes the 3-rd it of 5, and similar for 5,12, 4,3, 7,3, 7,12, 8, = c; (13) 6 6 = c; (14)

13 = ; (15) 5 5 = ; (16) 2 2 = c; (17) 6 6 = c; (18) 5,3 = 1; (19) 5,12 = ; (2) 4,3 = ; (21) 7,3 = 1; (22) 7,12 = ; (23) 8,3 =. (24) Now let us analyse the numer of the weak keys. First oserve that when Condition (13) holds, then Condition (15) holds with certainty; when Condition (14) holds, Condition (16) holds with certainty. Note that 2 = FI( 2, 3 ), 2 = FI( 2, 3), 4 = FI( 4, 5 ), 6 = FI( 6, 7 ), 6 = FI( 6, 7). By performing a computer search, we get {( 2, 3 ) Conditions (13) and (17)} = 2 16 ; {( 4, 5 ) Conditions (19), (2) and (21)} = 2 29 ; {( 6, 7 ) Conditions (14), (18), (22) and (23)} = Therefore, Chen and Dai [9] got that there are a total of 2 9 possile values for A satisfying the aove 12 conditions, and thus there are 2 9 weak keys. 4.2 Chen and Dai s 7-Round Related-ey Amplified Boomerang Distinguisher We now descrie Chen and Dai s related-key amplified oomerang distinguisher for Rounds 1 7 under the class of 2 9 weak keys ( A, B, C, D ) descried in Section 4.1. The first related-key differential α β for this distinguisher is the 2-round relatedkey differential ( 48 ) ( 32 c 16 ) with proaility 1 for Rounds 1 2 under ( A, B ) or under ( C, D ), where 48 represents a inary string of 48 zeros and so on. The second related-key differential γ δ for this distinguisher is the 5-round related-key differential ( 48 ) with proaility 2 27 for Rounds 3 7 under ( A, C ) or under ( B, D ). In Fig. 6 in Appendix A we illustrate the two related-key differentials in detail, where R 4,3 denotes the 3-rd it of R 4 (the right half of the output of Round 4), and R 4,12 denotes the 12-th it of R 4. Consequently, Chen and Dai otained a 7-round related-key amplified oomerang distinguisher with proaility 1 2 (2 27 ) = under a weak key ( A, B, C, D ). As a result, they presented an attack on 8-round MISTY1 without the last two FL functions, y conducting a key recovery on FO 8 (in a way similar to the early aort technique used in [32]). 4.3 An Improved 7-Round Related-ey Amplified Boomerang Distinguisher First focus on the FI 73 function in the second related-key differential γ δ used in Chen and Dai s 7-round distinguisher, where the proaility is Oserve that I 73 = 2 or 2, depending on which pair from a quartet is considered. Chen and Dai used a proaility value of 2 16 for the differential c c operating on FI 73. Similar to

14 14 what we mention in Section 3.3, we should make sure that a weak key ( A, B, C, D ) should also satisfy the condition that the differential c c is a possile differential for FI 73 ; otherwise, the differential c c would have a zero proaility, and the 7-round distinguisher would e flawed. Thus, we should put the following two additional conditions when defining a set of weak keys: Pr FI(, 2 )( c c) > ; (25) Pr FI(, 2 )( c c) >. (26) After performing a computer programming, we surprisingly find that the numer of ( 2, 3 ) satisfying Conditions (13),(17),(25) and (26) is equal to the numer of ( 2, 3 ) satisfying Conditions (13) and (17), that is {( 2, 3 ) Conditions (13), (17), (25) and (26)} = This means that the class of weak keys satisfying Conditions (13) (26) is the same as the class of weak keys satisfying Conditions (13) (24) due to Chen and Dai. But nevertheless we find something valuale: For each possile 2 or 2, there are exactly two pairs of inputs to FI 73 which follow the differential c c, that is to say, the differential c c for FI 73 has a proaility of 2 15, twice as large as the proaility value used y Chen and Dai. Therefore, the second related-key differential γ δ used in Chen and Dai s 7-round distinguisher actually has a proaility of 2 26, and the resulting 7-round distinguisher has proaility 1 2 (2 26 ) = under a weak key ( A, B, C, D ). Particularly we have the following result. Proposition 3. In the class of 2 9 weak keys satisfying Conditions (13) (26), 1. there are 2 16 possile values for 1, 2 14 possile values for 5, and 2 15 possile values for 8 ; 2. there are 2 14 possile values for ( 6, 7 ); in particular there are a total of 2 13 possile values for 7, and for every possile value of 7 there are 2 possile values for 6 ; 3. there are a total of 2 16 possile values for 3 ; 4. Pr FI(, 2 )( c c) = Pr FI(, 2 )( c c) = Attacking the Full MISTY1 under the Class of 2 9 Weak eys We devise a related-key amplified oomerang attack on the full MISTY1 under a weak key from the weak key class, asing it on the 7-round related-key amplified oomerang distinguisher with proaility Preliminary Results. First concentrate on the propagation of the output difference δ(= ) of the 7-round distinguisher through the following Round 8, including the FL 9 and FL 1 functions, under ( A, C ) or under ( B, D ); see Fig. 4. Under ( A, C ), y the key schedule of MISTY1 we have O 81 = 8 =, O 82 = 2 =, O 83 = 7 =, O 84 = 4 =, I 81 = 5 =, I 82 = 1 =, I 83 = 3 =, L 9 = ( 5 3) =, L 1 = ( 7 1 ) =. Since δ =, the FI 81 and FI 82 functions oth have a zero input difference. The first S 9 and S 7 in FI 81 oth have a zero input difference, however, as I 81 = we know the second S 9 in FI 81 has an input difference 2 a, thus the output difference of the FI 81

15 15 a X a X Y (a X) 8 5 = 1 = 2 = 7 3 FI 81 FI 82 FI 83 a X Y 4 a X a X Y (a X) 5 I 812 = ( 2 a) a X 3 S 9 S 7 S 9 a I 811 = a? 7 1 Fig. 4. Propagation of δ through Round 8 with FL 9 and FL 1 function has a form of a X, where X {, 1} 9 can take only 2 8 possile values, and we denote y S a the set of the 2 8 possile values for X. Since O 82 = and I 82 =, the FI 82 function has a zero output difference. Since O 83 =, the FI 83 function has an input difference a X. We assume the output difference for FI 83 is Y. Then, the FO 8 function has an output difference (a X) (Y (a X)), so the FL 9 function has an input difference (a X) (Y (a X)), ut its output difference is indeterminate (Denoted y the question marker in Fig. 4). The FL 1 function has a zero input and output difference. The same results hold for the propagation of δ under ( B, D ); note that X and Y under this case may take a different value from that case under ( A, C ). Finally, since the FI 82 function has a zero input and output difference, y the structure of the FO function we oserve that only the sukeys ( 1, 3, 5, 5, 5, 7, 7, 8) are required when checking whether a candidate quartet consisting of two ciphertext pairs produces the output difference δ = of the 7-round distinguisher. Since 5 = FI( 5, 6 ), 5 = 5 and 7 = FI( 7, 8 ), we have the following result. Proposition 4. Only the sukeys ( 1, 3, 5, 6, 7, 8 ) are required when checking whether a candidate quartet consisting of two ciphertext pairs satisfies the output difference δ = of the 7-round distinguisher. Attack Procedure. First we precompute two hash tales T 1 and T 2, as follows. Tale T 1. Note that I 81 = 5 or 5 (= 5 ), O 83 = 7, and I 83 = 3. Under every possile ( 3, 5, 7), we compute ( µ, ν) for every x = (x L x R ) {, 1} 32, as follows. µ = FI 81 (x L, 5) FI 81 (x L, 5 ), ν = FI 83 (FI 81 (x L, 5) X R 7, 3) FI 83 (FI 81 (x L, 5 ) X R 7, 3). By the structure of FI, we know the left 7 its of µ must e a, and µ has the form a X, that is µ = (a X), where X S a, where S a is defined aove. For a fixed ( 3, 5, 7, µ, ν), on average there are = 2 8 satisfying values for x. We store the satisfying values of x into tale T 1 indexed y the value ( 3, 5, 7, X, ν). There are 2 16 possile values for 3, at most 216 possile values for 5, 213 possile values for 7, 2 8 possile values for µ, and 2 16 possile values for ν, thus this precomputation takes aout = 2 71 FI computations, and T 1 requires a memory of aout = 2 79 ytes.

16 16 Tale T 2. Under every possile ( 1, 7, 8), we compute λ = ( 8 16 )FL 1 1 (x, 7 1) for each x {, 1} 32. There are 2 16 possile values for 1, 2 13 possile values for 7, 2 15 possile values for 8, and 2 16 possile values for 7. Note that 7 = FI 1 ( 7, 8). For a fixed (x, λ, 7 ), on average there are =.5 satisfying values for ( 1, 7, 8); for a fixed ( 1, 7, 8 ), there are 2 32 satisfying (x, λ). We make tale T 2 in the following manner: For every possile 7 : For every possile ( 1, 8 ): Compute 7 = FI( 7, 8 ). Find all the 2 32 possile (x, λ) such that λ = ( 8 16 ) FL 1 1 (x, 7 1). Store ( 1, 8 ) into Tale T 2 indexed first y 7 and then y (x, λ). Set a inary marker with two possile statuses, up and down, to the set of 2 32 tuples ( 7, 1, 8, x, λ). The marker s initial status is down. That is, for a 7, there are 2 31 markers corresponding to the 2 31 possile values of ( 1, 8 ); and 2 32 different (x, λ) that work under the same ( 7, 1, 8 ) share the same marker. T 2 requires a memory of aout = 2 78 ytes. This precomputation has a time complexity of aout = 2 76 FL 1 computations. Now we can give the following attack procedure to reak the full MISTY1. 1. Initialize zero to an array of 2 75 counters corresponding to all the 2 75 possile values for ( 1, 3, 5, 6, 7, 8 ). 2. Choose a set of plaintext pairs (P, P = P ( 48 )), and another set of plaintext pairs (P, P = P ( 48 )). In a chosen-plaintext attack scenario, otain the ciphertexts for the plaintexts P, P, P, P under A, B, C, D, respectively, and we denote y C = (CL L CL R, CR L CR R ) the ciphertext for plaintext P encrypted under A, y C = (CL L CL R, CR L CR R ) the ciphertext for plaintext P encrypted under B, y C = (CL L CL R, CR L CR R ) the ciphertext for plaintext P encrypted under C, and y C = (CL L CL R, CR L CR R ) the ciphertext for plaintext P encrypted under D. 3. Check whether a candidate quartet (C, C, C, C ) meets oth the following conditions y storing the ciphertext pairs (C, C ) and (C, C ) into a hash tale indexed y the values CR L CR R CRL CR R and CR L CR R CR L CR R. (CR L CR R ) (CR L CR R) =, (CR L CR R) (CR L CR R) =. eep only the satisfying quartets. 4. For every remaining quartet (C, C, C, C ), do the following su-steps. (a) Choose all the possile 3 satisfying the following conditions: (CL R 3) CL L (CL R 3) CL L = a X, (CL R 3) CL L (CL R 3) CL L = a X, where X, X represents two indeterminate 9-it values, (X, X can e different for different quartets, ut oviously their values are fixed for a given quartet and 3 ). () For every satisfying 3, do as follows. i. Guess 5, and compute the difference just efore the FL 1 9 function etween C and C, and the difference just efore the FL 1 9 function etween C and

17 17 C. Let FL 1 9 (CL L CL R, 5 3) FL 1 9 (CL L CL R, 5 3) = a X (Y (a X )), FL 1 9 (CL L CL R, 5 3) FL 1 9 (CL L CL R, 5 3) = a X (Y (a X )), where Y, Y represent specific 16-it values. ii. Guess 7 ; y Proposition 3-(2) we know there are two corresponding values for 6 (for each guessed 7 ), and we denote them y 6 and 6. Then, do the following four su-steps. A. Compute 5 = FI( 5, 6 ); 5 = FI( 5, 6 ). B. For (C, C ), access Tale T 1 at entry ( 3, 5, 7, X, Y ) to get the possile 32-it inputs to the FO 8 function excluding the XOR operation with O 81. As discussed earlier, when X S a, on average there are 2 8 possile inputs, and we denote them y x 1, x 2,, x 256 ; when X does not elong to S a we get no input and go to execute Step 4()(ii)(D). Similarly, for (C, C ), access Tale T 1 at entry ( 3, 5, 7, X, Y ) to get the possile 32-it inputs to the FO 8 function excluding the XOR operation with O 81, and we denote them y x 1, x 2,, x 256 when X S a ; when X does not elong to S a there is no input and we execute Step 4()(ii)(D). C. For i = 1, 2,, 256, access Tale T 2 at entry ( 7, CL L CL R, x i ) and flip the corresponding marker up. For i = 1, 2,, 256, access Tale T 2 at entry ( 7, CL L CL R, x i ) and check whether the corresponding marker is up or down; if it is up, get the corresponding ( 1, 8 ) and increase 1 to the counter corresponding to the guessed ( 1, 3, 5, 6, 7, 8 ), otherwise execute the next iteration (Initialize the markers in T 2 to e down after finishing all the 256 iterations). D. Repeat the aove two su-steps (B) and (C) similarly for the case 5. When X or X does not elong to S a, there is no input, and we execute Step 4()(ii) with another guess for 7. (If this su-step is done, go to Step 4()(ii), etc.) 5. For a value of ( 1, 3, 5, 6, 7, 8 ) whose counter has a non-zero numer, exhaustively search the remaining key its with two known plaintext-ciphertext pairs. If a value of ( 1, 2,, 8 ) is suggested, output it as the user key of the full MISTY1. Note that in Step 4()(ii) we check the two pairs from a candidate quartet one after the other, instead of checking them simultaneously. This is the early aort technique for the (related-key) rectangle attack, descried in [31] as well as in Chapter 4.4 of [3]. Attack Complexity. The attack requires = chosen plaintexts. There are a total of = candidate quartets (C, C, C, C ), of which only (2 32 ) 2 = 2 53 quartets are expected to satisfy the two conditions in Step 3. It takes aout memory accesses to otain the satisfying quartets. For every remaining quartet, on average there exist 2 16 (2 7 ) 2 = 2 2 possile values for 3 satisfying the two conditions in Step 4(a). Step 4(a) has a time complexity of aout = 27 FL computations. There are a total of 2 14 possile values for 5, thus Step 4()(i) has a time complexity

18 18 of = 27 FL computations (Note that some required intermediate values have een computed in Step 4(a)). There are a total of 2 13 possile values for 7, so Step 4()(ii)(A) has a time complexity of = 2 83 FI computations. Step 4()(ii)(B) has a time complexity of aout = memory accesses (if conducted on a 64-it computer), due to one-it filtering condition on X. Because of one-it filtering condition on X, Step 4()(ii)(C) has a time complexity of aout = 2 89 memory accesses. Step 4()(ii)(D) has a time complexity of aout = memory accesses. The proaility that the counter for a wrong ( 1, 3, 5, 6, 7, 8 ) has a non-zero numer is approximately i=1 [( ) i (2 128 ) i ( ) 2117 i ] Thus, it is expected that there are a total of = 2 64 wrong values of ( 1, 3, 5, 6, 7, 8 ) whose counters are non-zero, so in total we need to access the array of counters only 2 64 times in Steps 4()(ii)(C) and 4()(ii)(D). The 2 64 wrong values of ( 1, 3, 5, 6, 7, 8 ) make at most 2 79 possile values for ( 1, 2,, 8 ), and thus it requires trial encryptions to check them in Step 5. In Step 5, a wrong value of ( 1, 2,, 8 ) is suggested with proaility = 2 128, so it is expected that there remain = 2 49 values for ( 1, 2,, 8 ); that is to say, the numer of suggested wrong user keys is rather low. Hence, the time complexity of the attack is dominated y Steps 4()(ii)(B), 4()(ii)(C) and 4()(ii)(D), which is memory accesses, plus Step 5. Therefore, y the evaluation used in Section 3.4, the attack has a total time complexity of aout MISTY1 encryptions. The counter for the correct key has an expected numer of = 2, and the proaility that the counter for the correct key has a non-zero numer is approximately i=1 [( ) i (2 116 ) i ( ) 2117 i ].86. Therefore, the related-key impossile oomerang attack has a success proaility of 86%. The memory complexity of the attack is dominated y the space for the array of 2 75 counters, which is ytes. Taking the storage space for T 1 and T 2 into consideration, we need a total memory space of ytes. It is very worthy to note that we can slightly reduce the memory space y splitting T 1 into two smaller tales which mainly correspond to FI 81 and FI 83 respectively, ut at the cost of a few more memory accesses in the attack procedure. 4.5 Three Other Classes of 2 9 Weak eys The aove su-sections have shown a class of 2 9 weak keys and a related-key amplified oomerang attack on the full MISTY1 under a weak key. Nevertheless, there exist three other classes of 2 9 weak keys under which there are similar results. The new weak key classes are otained y setting other possile values for the two sukey its ( 5,3, 5,12 ), which are further classified into several su-classes y the possile values of the two sukey its comination ( 3,3, 3,12 ). This will affect only the FL 2 function of the first relatedkey differential, and the input difference of FL 2 will e fixed once the setting is given, provided that the output difference of FL 2 is 9 a. Likewise, y choosing a numer of plaintext pairs with a corresponding difference we can conduct a similar attack on the full MISTY1 under every su-class of weak keys. In total, we have 2 92 weak keys under which a related-key amplified oomerang attack can reak the full MISTY1. One might consider otaining more weak keys y setting 4,3 = 1, instead of 4,3 = used in our results. This case will affect only the output difference of the FL 4 function of the first related-key differential, and it seems that we can further classify the resulting class of weak keys into two su-classes according to the possile values of the sukey it

Differential Attack on Five Rounds of the SC2000 Block Cipher

Differential Attack on Five Rounds of the SC2000 Block Cipher Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com

More information

Differential-Linear Cryptanalysis of Serpent

Differential-Linear Cryptanalysis of Serpent Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy

More information

Impossible Differential Attacks on 13-Round CLEFIA-128

Impossible Differential Attacks on 13-Round CLEFIA-128 Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential

More information

Impossible Boomerang Attack for Block Cipher Structures

Impossible Boomerang Attack for Block Cipher Structures Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible

More information

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,

More information

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository

More information

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256 Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai

More information

Related-Key Rectangle Attack on 42-Round SHACAL-2

Related-Key Rectangle Attack on 42-Round SHACAL-2 Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20

More information

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my

More information

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,

More information

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National

More information

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony Orr Dunkelman, Nathan Keller, and Adi Shamir Faculty of Mathematics and Computer Science Weizmann Institute of

More information

Complementing Feistel Ciphers

Complementing Feistel Ciphers Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,

More information

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3 Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information

More information

Compactness vs Collusion Resistance in Functional Encryption

Compactness vs Collusion Resistance in Functional Encryption Compactness vs Collusion Resistance in Functional Encryption Baiyu Li Daniele Micciancio April 10, 2017 Astract We present two general constructions that can e used to comine any two functional encryption

More information

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Five-Round Algebraic Property of the Advanced Encryption Standard A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science

More information

Cryptanalysis of the SIMON Family of Block Ciphers

Cryptanalysis of the SIMON Family of Block Ciphers Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

New Results on Boomerang and Rectangle Attacks

New Results on Boomerang and Rectangle Attacks New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Lecture 4: DES and block ciphers

Lecture 4: DES and block ciphers Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,

More information

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,

More information

The Hash Function JH 1

The Hash Function JH 1 The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred

More information

FFT-Based Key Recovery for the Integral Attack

FFT-Based Key Recovery for the Integral Attack FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose

More information

Bit-Pattern Based Integral Attack

Bit-Pattern Based Integral Attack Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA : Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT

More information

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline

More information

MasterMath Cryptology /2 - Cryptanalysis

MasterMath Cryptology /2 - Cryptanalysis MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions

More information

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Security of the SMS4 Block Cipher Against Differential Cryptanalysis Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security

More information

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Improved Multiple Impossible Differential Cryptanalysis of Midori128 Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,

More information

Truncated differential cryptanalysis of five rounds of Salsa20

Truncated differential cryptanalysis of five rounds of Salsa20 Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters

More information

A Brief Comparison of Simon and Simeck

A Brief Comparison of Simon and Simeck A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based

More information

Security of the AES with a Secret S-box

Security of the AES with a Secret S-box Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How

More information

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,

More information

Distinguishing Attack on Common Scrambling Algorithm

Distinguishing Attack on Common Scrambling Algorithm 410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology

More information

Linear Cryptanalysis of RC5 and RC6

Linear Cryptanalysis of RC5 and RC6 Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be

More information

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;

More information

Linear Cryptanalysis of Reduced-Round Speck

Linear Cryptanalysis of Reduced-Round Speck Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be

More information

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by

More information

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information

More information

The Mean Version One way to write the One True Regression Line is: Equation 1 - The One True Line

The Mean Version One way to write the One True Regression Line is: Equation 1 - The One True Line Chapter 27: Inferences for Regression And so, there is one more thing which might vary one more thing aout which we might want to make some inference: the slope of the least squares regression line. The

More information

Related-Key Boomerang and Rectangle Attacks,

Related-Key Boomerang and Rectangle Attacks, Related-Key Boomerang and Rectangle Attacks, Jongsung Kim 1, Seokhie Hong 2, Bart Preneel 3, li Biham 4, Orr Dunkelman 3,5,7,, and Nathan Keller 6,7, 1 Division of e-business, Kyungnam University, 449,

More information

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,

More information

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

A Unified Method for Finding Impossible Differentials of Block Cipher Structures A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai

More information

Revisit and Cryptanalysis of a CAST Cipher

Revisit and Cryptanalysis of a CAST Cipher 2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Structural Evaluation by Generalized Integral Property

Structural Evaluation by Generalized Integral Property Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against

More information

Improbable Differential Cryptanalysis and Undisturbed Bits

Improbable Differential Cryptanalysis and Undisturbed Bits Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short

More information

S-box (Substitution box) is a basic component of symmetric

S-box (Substitution box) is a basic component of symmetric JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates

More information

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Linear Cryptanalysis of DES with Asymmetries

Linear Cryptanalysis of DES with Asymmetries Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL

More information

Chapter 2 - Differential cryptanalysis.

Chapter 2 - Differential cryptanalysis. Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered

More information

The Artin-Feistel Symmetric Cipher

The Artin-Feistel Symmetric Cipher The Artin-Feistel Symmetric Cipher May 23, 2012 I. Anshel, D. Goldfeld. Introduction. The Feistel cipher and the Braid Group The main aim of this paper is to introduce a new symmetric cipher, which we

More information

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Ciphertext-only Cryptanalysis of a Substitution Permutation Network Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation

More information

Minimizing a convex separable exponential function subject to linear equality constraint and bounded variables

Minimizing a convex separable exponential function subject to linear equality constraint and bounded variables Minimizing a convex separale exponential function suect to linear equality constraint and ounded variales Stefan M. Stefanov Department of Mathematics Neofit Rilski South-Western University 2700 Blagoevgrad

More information

A Pseudo-Random Encryption Mode

A Pseudo-Random Encryption Mode A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of

More information

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia

More information

Two-Stage Improved Group Plans for Burr Type XII Distributions

Two-Stage Improved Group Plans for Burr Type XII Distributions American Journal of Mathematics and Statistics 212, 2(3): 33-39 DOI: 1.5923/j.ajms.21223.4 Two-Stage Improved Group Plans for Burr Type XII Distriutions Muhammad Aslam 1,*, Y. L. Lio 2, Muhammad Azam 1,

More information

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an

More information

Block Ciphers and Systems of Quadratic Equations

Block Ciphers and Systems of Quadratic Equations Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low

More information

Optimized Interpolation Attacks on LowMC

Optimized Interpolation Attacks on LowMC Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering

More information

Module 2 Advanced Symmetric Ciphers

Module 2 Advanced Symmetric Ciphers Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm

More information

On Stream Ciphers with Small State

On Stream Ciphers with Small State ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1

More information

New Combined Attacks on Block Ciphers

New Combined Attacks on Block Ciphers New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute

More information

The Euphrates Cipher

The Euphrates Cipher IJCSI International Journal of Computer Science Issues, Volume, Issue, March ISSN (Print): 9-8 ISSN (Online): 9-8 www.ijcsi.org The Euphrates Cipher Omar A. Dawood, Adul Monem S. Rahma and Adul Mohssen

More information

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/

More information

Nonlinear Invariant Attack

Nonlinear Invariant Attack Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,

More information

Chapter 1 - Linear cryptanalysis.

Chapter 1 - Linear cryptanalysis. Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =

More information

#A50 INTEGERS 14 (2014) ON RATS SEQUENCES IN GENERAL BASES

#A50 INTEGERS 14 (2014) ON RATS SEQUENCES IN GENERAL BASES #A50 INTEGERS 14 (014) ON RATS SEQUENCES IN GENERAL BASES Johann Thiel Dept. of Mathematics, New York City College of Technology, Brooklyn, New York jthiel@citytech.cuny.edu Received: 6/11/13, Revised:

More information

On related-key attacks and KASUMI: the case of A5/3

On related-key attacks and KASUMI: the case of A5/3 On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1, M.J.B. Robshaw 2, Huaxiong Wang 1 1 Nanyang Technological University, Singapore 2 Applied Cryptography Group, Orange Labs, France

More information

Type 1.x Generalized Feistel Structures

Type 1.x Generalized Feistel Structures Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized

More information

Stream Ciphers: Cryptanalytic Techniques

Stream Ciphers: Cryptanalytic Techniques Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic

More information

Linear Cryptanalysis Using Multiple Approximations

Linear Cryptanalysis Using Multiple Approximations Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in

More information

Division Property: a New Attack Against Block Ciphers

Division Property: a New Attack Against Block Ciphers Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption

More information

Smooth Projective Hashing and Two-Message Oblivious Transfer

Smooth Projective Hashing and Two-Message Oblivious Transfer Smooth Projective Hashing and Two-Message Olivious Transfer Shai Halevi IBM Research Yael Tauman Kalai Microsoft Research Octoer 31, 2010 Astract We present a general framework for constructing two-message

More information

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptography Lecture 4 Block ciphers, DES, breaking DES Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages

More information

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits

More information

A Byte-Based Guess and Determine Attack on SOSEMANUK

A Byte-Based Guess and Determine Attack on SOSEMANUK A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy

More information

New Observation on Camellia

New Observation on Camellia New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University

More information

Improving the Time Complexity of Matsui s Linear Cryptanalysis

Improving the Time Complexity of Matsui s Linear Cryptanalysis Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement

More information

Module 9: Further Numbers and Equations. Numbers and Indices. The aim of this lesson is to enable you to: work with rational and irrational numbers

Module 9: Further Numbers and Equations. Numbers and Indices. The aim of this lesson is to enable you to: work with rational and irrational numbers Module 9: Further Numers and Equations Lesson Aims The aim of this lesson is to enale you to: wor with rational and irrational numers wor with surds to rationalise the denominator when calculating interest,

More information

Security Evaluation of Stream Cipher Enocoro-128v2

Security Evaluation of Stream Cipher Enocoro-128v2 Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of

More information

From Single-Bit to Multi-Bit Public-Key Encryption via Non-Malleable Codes

From Single-Bit to Multi-Bit Public-Key Encryption via Non-Malleable Codes An extended astract of this paper is pulished in the proceedings of the twelfth IACR Theory of Cryptography Conference TCC 2015. This is the full version. rom Single-Bit to Multi-Bit Pulic-Key Encryption

More information

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS Guanhan Chew, Khoongming Khoo DSO National Laboratories, 20 Science Park Drive, Singapore 118230 cguanhan,kkhoongm@dso.org.sg

More information

Luis Manuel Santana Gallego 100 Investigation and simulation of the clock skew in modern integrated circuits. Clock Skew Model

Luis Manuel Santana Gallego 100 Investigation and simulation of the clock skew in modern integrated circuits. Clock Skew Model Luis Manuel Santana Gallego 100 Appendix 3 Clock Skew Model Xiaohong Jiang and Susumu Horiguchi [JIA-01] 1. Introduction The evolution of VLSI chips toward larger die sizes and faster clock speeds makes

More information

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang

More information

On the Complexity of the BKW Algorithm on LWE

On the Complexity of the BKW Algorithm on LWE On the Complexity of the BKW Algorithm on LWE Martin R. Alrecht 1, Carlos Cid 3, Jean-Charles Faugère, Roert Fitzpatrick 3, and Ludovic Perret 1 Technical University of Denmark, Denmark INRIA, Paris-Rocquencourt

More information

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Cryptanalysis of SP Networks with Partial Non-Linear Layers Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,

More information

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types

More information