Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Size: px
Start display at page:

Download "Improved Impossible Differential Attack on Reduced Version of Camellia-192/256"

Transcription

1 Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 20020,China, {liuya06, dwgu, ilu zq}@sjtu.edu.cn 2 School of Computer Science and Technology, Donghua University, Shanghai 20620, China 3 Shanghai Key aboratory of Integrate dministration Technologies for Information Security, Shanghai 20020, China liwei.cs.cn@gmail.com bstract s an ISO/IEC international standard, Camellia has been used various cryptographic applications. In this paper, we improve previous attacks on Camellia-92/256 with key-dependent layers F/F by using the intrinsic weakness of keyed functions. Specifically, we present the first impossible differential attack on 3-round Camellia with chosen ciphertexts and round encryptions, while the analysis for the biggest number of rounds in previous results on Camellia-92 worked on 2 rounds. Furthermore, we successfully attack -round Camellia-256 with chosen ciphertexts and round encryptions. Compared with the previously best known attack on -round Camellia-256, the time complexity of our attack is reduced by times and the data complexity is comparable. Key words: Block Cipher, Camellia, Impossible Differential Cryptanalysis. Introduction The 28-bit block cipher Camellia was jointly developed by NTT and Mitsubishi in 2000 []. It supports three kinds of key sizes, i.e., 28 bits, 92 bits and 256 bits. For simplicity, they can be usually denoted as Camellia-28, Camellia-92 and Camellia-256, respectively. Camellia adopts the basic Feistel structure with two key-dependent transformations inserted every six rounds. The goals for such a design are to provide non-regularity across rounds and to thwart future unknown attacks. In 2002, Camellia was selected as one of the CYPTEC e-government recommended ciphers. In 2003, it was recommended in NESSIE block cipher portfolio. Finally, it was adopted as an international standard by ISO/IEC []. So far, a lot of researchers have used various methods to attack Camellia such as linear cryptanalysis, differential cryptanalysis, higher order differential attack, impossible differential attack and so on. mong them, most attacks involved in reduced-round Camellia without F/F and whitening layers [5, 6, 7,,, 5, 6, 7, 8], only three attacks focused on the security of reduced-round Camellia with F/F and whitening layers [3, 9, 0], and four attacks analyzed the security of reduced-round Camellia with F/F layers [8, 3, 2, 2]. For Camellia with F/F layers, i et al. attacked 2-round Camellia-92 with chosen plaintexts and 2 8 encryptions and - round Camellia-256 with 2 20 chosen ciphertexts and encryptions [8], lv et al. mounted impossible differential attacks on 0-round Camellia-28 with 2 8 chosen plaintexts and 2 8 encryptions and -round Camellia-92 with 2 8 chosen plaintexts and encryptions [3], Bai et al. improved i s results to attack 2-round Camellia-92 with chosen plaintexts and 2 7. encryptions and -round Camellia-256 with chosen plaintexts and encryptions [2], lv et al. gave higher-order meet-in-the-middle attacks on 0-round Camellia-28 with 2 93 chosen plaintexts and encryptions, -round Camellia-92 with 2 78 chosen plaintexts and encryptions as well as 2-round Camellia-256 with 2 9 chosen plaintexts and encryptions [2]. Impossible differential cryptanalysis was independently proposed by Knudsen and Biham. Unlike traditional differential cryptanalysis, the adversary requires to construct two truncated differentials with probability one which meet a contradiction in the middle. This new differential with probability zero is called an impossible differential. By using this impossible differential, we can remove all wrong candidates of the secret key until the correct one is left. Preprint submitted to Information Processing etters June 5, 202

2 Table : Summary of attacks on reduced-round Camellia-92/256 without the whitening layers Key Size ounds ttack Type Data Time(Enc) Memory (Bytes) Source Camellia-92 Impossible DC 2 8 CP [2] HO-MitM 2 9 CP [3] Impossible DC CP [2] 2 Impossible DC CP [8] 2 Impossible DC CP [2] 2 Impossible DC CP Section 3. 3 Impossible DC CC Section 3.2 Camellia HO-MitM 2 9 CP [3] Impossible DC 2 20 CC [8] Impossible DC CC [2] Impossible DC CC Section DC: Differential Cryptanalysis; CP/CC: Chosen Plaintexts/Chosen Ciphertexts; HO-MitM: Higher Order Meet-in-the-Middle ttack; Enc: Encryptions; s one of the most powerful methods, impossible differential cryptanalysis is used to analyze the securities of many block ciphers such as ES, CEFI, I, MISTY and so on. In this paper, we improve previous attacks on Camellia-92/256 with two key-dependent layers F/F by using the intrinsic weakness of keyed transformations. We first attack 2-round Camellia-92 with chosen plaintexts, round encryptions and bytes. Compared with the previously fastest known attack on 2- round Camellia-92, the time and memory complexities of our attack are reduced by times and times and the data complexity is comparable. Second, we further improve our result and derive the first attack on 3-round Camellia- 92 with chosen ciphertexts, round encryptions and bytes, while the analysis for the biggest number of rounds in previous results on Camellia-92 worked on 2 rounds. Finally, we propose improved impossible differential cryptanalysis of -round Camellia-256 with chosen ciphertexts, round encryptions and 2 3. bytes, which is times faster than previously best known attack on -round Camellia-256. In table, we summarize our results along with the former known ones on Camellia-92/256. The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. Section 3 gives a chosen plaintext attack on 2-round Camellia-92 and a chosen ciphertext attack on 3-round Camellia-92. Section presents an impossible differential attack on -round Camellia-256. Section 5 summarizes this paper. 2. Preliminaries 2.. Some Notations - P, C: the plaintext and the ciphertext; - i, i : the left half and the right half of the i-th round input; - i, i : the left half and the right half of the input difference in the i-th round; - kw kw 2, kw 3 kw : the pre-whitening key and the post-whitening key; - k i, kl i ( i 6): the subkey used in the i-th round and 6-bit keys used in the F/F layers; - S r, S r : the output and the output difference of the S-boxes in the r-th round; - X Y, X j: the concatenation of X and Y, left rotation of X by j bits; - X ( n 2 ), X ( n 2 ) : the left half and the right half of a n-bit word X; - X i, X {i, j}, X {i j} : the i-th byte, the i-th and j-th bytes and the i-th to the j-th bytes of X; - X i, X (i, j), X (i j) : the i-th bit, the i-th and j-th bits and the i-th to j-th bits of X; -,, : bitwise exclusive-o (XO), ND, and O operations, respectively; - 0 (i), (i) : consecutive i bits are zero or one The Block Cipher Camellia Camellia [] is a 28-bit block cipher. It adopts the basic Feistel structure with the key-dependent functions F/F inserted every 6 rounds. Camellia supports variable key sizes and the number of rounds depends on the 2

3 key size, i.e., 8 rounds for a 28-bit key size and 2 rounds for 92/256-bit key sizes. The encryption algorithm of Camellia can be expressed as follows:. 0 0 = P (kw kw 2 ), 2. For r= to Nr: if r 6k, where k=,, Nr/6, then r = r F( r, k r ), r = r. else r= r F( r, k r ), r= r ; r = F( r, kl r/3 ), r = F ( r, kl r/3 ); 3. C= ( Nr kw 3 ) ( Nr kw ). Here the round function includes an XO operation with a round key, an nonlinear transformation S and a linear function P. mong it, the linear transformation P and its inverse function P are defined as follows: z = y y 3 y y 6 y 7 y 8 ; y = z 2 z 3 z z 6 z 7 z 8 ; z 2 = y y 2 y y 5 y 7 y 8 ; y 2 = z z 3 z z 5 z 7 z 8 ; z 3 = y y 2 y 3 y 5 y 6 y 8 ; y 3 = z z 2 z z 5 z 6 z 8 ; z = y 2 y 3 y y 5 y 6 y 7 ; y = z z 2 z 3 z 5 z 6 z 7 ; z 5 = y y 2 y 6 y 7 y 8 ; y 5 = z z 2 z 5 z 7 z 8 ; z 6 = y 2 y 3 y 5 y 7 y 8 ; y 6 = z 2 z 3 z 5 z 6 z 8 ; z 7 = y 3 y y 5 y 6 y 8 ; y 7 = z 3 z z 5 z 6 z 7 ; z 8 = y y y 5 y 6 y 7 ; y 8 = z z z 6 z 7 z 8 ; where (y, y 2, y 3, y, y 5, y 6, y 7, y 8 ) and (z, z 2, z 3, z, z 5, z 6, z 7, z 8 ) are the input and output of P. The key-dependent function F : (X X, kl kl ) Y Y, where Y = ((X kl ) ) X, Y = (Y kl ) X. Key Schedule of Camellia-92/256. The key schedule of Camellia applies a 6-round Feistel structure to derive two 28-bit intermediate variables K and K B from 28-bit variables K and K, and then all round subkeys can be generated by K, K, K and K B. For Camellia-92, the left 28-bit of the key K is used as K, and the concatenation of the right 6-bit of the key K and the complement of the right 6-bit of the key K is used as K. For Camellia-256, the main key K is separated into two 28-bit variables K and K, i.e., K=K K ound Impossible Differentials of Camellia In [0], iu et al. presented 8-round impossible differentials of Camellia with two F/F layers as follows: Property. For an 8-round Camellia encryption with two F/F layers inserted after the first and seventh rounds, the input difference of the first round is ( , a a 0 0 0) and the output difference of the eighth round is (b b 0 0 0, ) with a and b being nonzero bytes and a () = b () = a (8) = b (8) = 0. Four subkeys kl i (i=,, ) are used in two F/F layers. If a and b satisfy the following equations: { 0, if kl a (i) (i+) = = 0; a (i+), if kl (i+) = ; { 0, if kl b (i) (i+) = = 0; b (i+), if kl (i+) = ; for i 7, then ( , a a 0 0 0) 8 (b b 0 0 0, )is an 8-round impossible differential of Camellia with two F/F layers (See Fig. ). For each value of kl (2 8), denote the corresponding impossible differential by i. et ={ i 0 i 2 }. ll differentials of can be divided into three cases, i.e., () a = b = 0, (2) a = 0 and b 0, or a 0 and b = 0, (3) a 0 and b 0. Since property only gave the existence of an 8-round impossible differential of Camellia for any fixed key value, they proposed an attack strategy to recover the master key in the following: The ttack Strategy. Select a differential i from. Based on it, we mount an impossible differential attack on reduced-round Camellia given enough plaintext pairs. - If one subkey will be kept, we recover the secret key by the key schedule and verify whether it is correct by some plaintext-ciphertext pairs. If success, halt this attack. Otherwise, try another differential j ( j i) of and perform a new impossible differential attack. - If no subkeys or more than one subkeys are left, select another differential of to execute a new impossible differential attack. 3

4 Figure : The Structure of 8-ound Impossible Differentials of Camellia 3. Impossible Differential Cryptanalysis of educed-ound Camellia-92 In this section, we mount a chosen plaintext attack on 2-round Camellia-92 from rounds 3 to and a chosen ciphertext attack on 3-round Camellia-92 from rounds 3 to 5. Some previous skills such as building hash tables and the early abort technique [] are also adopted. Moreover, we make full use of the corresponding subkey for each 8-round differential of to reduce the guessed key space. 3.. Impossible Differential Cryptanalysis of 2-ound Camellia-92 By setting three rounds at the top and one round at the bottom of 8-round differentials, we attack 2-round Camellia-92 from rounds 3 to. We divide all differentials of into three cases to discuss our attack as follows. Case a = b = 0. The 8-round impossible differential is =( , a ) 8 (b , ), where a and b are non-zero bytes and a () = b () = 0. t this time, the corresponding subkey is kl (2 8) = K (3 37) K (25 27) = 0 (). See Figure 2.. Choose structures of plaintexts. Each structure contains 2 plaintexts with the form: (P(α α 2 α 3 α α 5 x x 2 α 6 ),α 7 α 8 α 9 α 0 α α 2 α 3 α ), whereα (), x, x 2 are fixed andα i ( i, i ),α (2 8) take all possible values. Clearly, each structure can form 2 22 plaintext pairs. In total, we collect plaintext pairs. The left halves of these plaintext differences satisfy P(g g 2 a g 3 a a g a 0 0 g 5 a) with a and g i ( i 5) being nonzero bytes and a () = 0. Encrypt them and keep those pairs whose ciphertext differences have the form (P(h ), b ) with b and h being nonzero bytes and b () = 0. The probability of this event is about 2 3. Therefore, the expected number of remaining pairs is about Guess K 3,3 = K (3 38). We have known the value of K ( 7) 3,3 from kl (2 8). Thus we only guess one bit K (8) 3,3. For each remaining pair, compute the value of (S 3,3, S 3,3 ) and check whether the equation S 3,3= (P ( P )) 3 holds. If S 3,3 (P ( P )) 3 for some pair, then this pair will be discarded. The probability is about 2 8. So the expected number of remaining pairs is approximately Next guess K 3,l for 2 l 8(l 3). For every remaining pair, calculate the value of (S 3,l, S 3,l ). Discard those pairs satisfying S 3,l (P ( P )) l. bout pairs will be kept. Finally, guess K 3, and calculate the inputs of the -th round.

5 Figure 2: Impossible Differential ttack on 2-ound Camellia for Case 3. ccording to K = K (5 63) K (0 ) and K, = K (60 63), we compute the value of (S, S, S,) for every remaining pair. Keep those pairs satisfying these equations S, = (P ( P )), S,l = (P ( P )) l (P ( P )) (l=2, 3, 5, 8) and S, = (P ( C )). The probability of this event is about 2 8. The expected number of remaining pairs is approximately For each remaining pair, calculate the inputs of the 5-th round.. Guess K 5,. Compute the value of ( S 5,, (P ( )) ) for each remaining pair. If S 5, = (P ( )) for some pair, we remove the guessed subkey. The probability is about 2 8. So the expected number of remaining wrong subkey is approximately 2 65 ( 2 8 ) 23.5 if is an 8-round impossible differential. When only one joint subkey is kept, we recover the secret key and verify whether it is correct, else try another differential of. Case 2 a = 0 and b 0, or a 0 and b = 0. We only attack a special scenario a = 0 and b ( 7) = b (2 8). Others can be attacked in the similar way. t this time, the differential is = ( , a ) 8 (b b 0 0 0, ), where a, b and b are non-zero bytes, b ( 7) = b (2 8) and a () = b () = b (8) = 0. The corresponding subkey is kl (2 8) = K (3 37) K (25 27) = 0 (7) (7).. Select plaintexts which have the same structure as above Case. We totally collect plaintext pairs. Encrypt them and obtain the corresponding ciphertext pairs. If the ciphertext difference of some pair does not satisfy (P(h h 0 0 0), b b 0 0 0) with b, b, h and h being non-zero bytes, b ( 7) = b (2 8) and b () = b (8) = 0, we get rid of this pair. The expected number of remaining pairs is about Guess K 3,3, K 3,2, K 3,{ 8} and K 3, in turn. fter this test, about pairs will be kept. 3. We have known K and K,l (l =, 5). For each remaining pair, we compute the values of (S, S ) and (S,l, S,l ). This step is similar to step 3 of Case. The expected number of remaining pairs is about Guess K 5, as before. If is an 8-round impossible differential, then the expected number of remaining wrong subkeys is approximately 2 73 ( 2 8 ) We only consider the scenario that one joint subkey will be kept. t this time, we recover the secret key by the key schedule and verify whether it is correct. If this key is correct, then we halt the attack, else try another differential of. Case 3 a 0 and b 0. We only attack an example a ( 7) = a (2 8) and b ( 7) = b (2 8). The differential is = ( , a a 0 0 0) 8 (b b 0 0 0, ), where a, a, b and b are non-zero bytes and a () = b () = a (8) = b (8) = 0. The corresponding subkey is kl (2 8) = K (3 37) K (25 27) = ().. Select plaitexts including those plaintexts in Cases and 2. Encrypt them to obtain the corresponding ciphertexts. Guess bits of K, i.e., K, = K (60 63) and K ( 3),5 = K (28 30). Since K (3 35) = (5), we can get the value of K ( 8),5. Partially decrypt the ciphertexts to derive the inputs of the -th round. Insert these plaintext-ciphertexts into a hash table indexed by 2-bit value of ( 3,{2 }, 3,{6 8}, () 3,, (8) 3,5, (2 8) 3, ( 7) 3,5, 3). ny two plaintext-ciphertexts in the same row of the hash table forms a pair satisfying ( 3, 3 )=(b b 0 0 0, ) with b () = b (8) = 0 and b (2 8) = b ( 7). Finally, the expected number of remaining pairs is about

6 Table 2: Time Complexity of Cases 3 Step Time Complexity (-round encryptions) = ( ) 2 = = ( (+( 2 8 )+ +( 2 8 ) 23.7 )) Guess K 3,3 = K (3 38) as before. fter this test, about pairs will be kept. Next guess K 3,7, K 3,6, K 3,2 in turn. Because K ( 5) 3,7 = K (), K(5 8), = K (63) K(0 3), K (6 8) 3,6 = K ( 3), = K (60 62) and K (6 8) 3,2 = K ( 3),5 = K (28 30), we only guess partial bits of (K 3,7, K 3,6, K 3,2 ). Keep these pairs satisfying S 3,l = (P ( P )) l (l=7, 6, 2). The expected number of remaining pairs is about Finally, guess K 3,i (i=, 8). For each remaining pair, we compute (S 3,i, S 3,i ) and test whether S 3,i is equal to (P ( P )) i. If S 3,i (P ( P )) i for some pair, then this pair will be discarded. bout pairs will be kept. Guess K 3,{,5} and compute the inputs of the -th round. 3. Since K = (K 5), we can calculate (S, S ) for each remaining pair. Keep these pairs satisfying these equations S, = (P ( P )), S (),8 = (P ( P )) () 8, S,i= (P ( P )) i ( S,8 (P ( P )) 8 ) (2 8) 0(i= 6, 7) and S, j = (P ( P )) j S,8 (P ( P )) 8 S,7 (P ( P )) 7 ( j=2, 3,, 5). The probability of this event is approximately So about will be kept.. Guess K 5,5. For each remaining pair, we calculate (S 5,5, S 5,5 ) and check whether S 5,5 is equal to (P ( )) 5. If S 5,5 (P ( )) 5 for one pair, this pair will be discarded. bout pairs will be kept. Next guess K 5, as before. If one subkey is left, we retrieve the master key, else try another differential of. Complexity. We list the time complexity of each step for Case 3 in table 2. We find the time complexity of Case 3 is determined by steps and 2, i.e., round encryptions. Similarly, we compute the time complexities of Cases and 2, i.e., round encryptions and round encryptions. Therefore, the whole time complexity is approximately = round encryptions. The data and memory complexities are chosen plaintexts and = bytes Impossible Differential Cryptanalysis of 3-ound Camellia-92 By adding one round at the bottom of above 2-round Camellia-92, we mount a chosen ciphertext attack on 3-round Camellia-92 from rounds 3 to 5. Case a = b = 0. The 8-round differential and the corresponding subkey are and kl (2 8) = 0 (), respectively. K (0 3) = K (3 37) K (25 27). Choose structures of ciphertexts. Each structure contains 2 55 ciphertexts with the form (P(α α 2 α 3 α α 5 x x 2 α 6 ), P(α 7 x 3 x x 5 x 6 x 7 x 8 x 9 )), whereα i ( i 7, i ),α (2 8) take all possible values, x j ( j 9),α () are fixed. Clearly, each structure forms 2 09 ciphertext pairs. We totally collect about ciphertext pairs whose differences satisfy (P(h h 2 b h 3 b b h b 0 0 h 5 b), P(h )) with h, h i, b being non-zero bytes and b () = Guess remaining 57 bits of K. For each structure, we encrypt plaintexts to derive the inputs of the 5-th round. Insert these plaintext-ciphertexts into a hash table indexed by the value of ( (),,,{2 8}, (P ( )) {2 8} ). ny two plaintexts lying in the same row of the hash table forms a pair whose input difference in the 5-th round satisfies (a , P(g )). So the expected number of remaining pairs is about Guess K 5,, K 5, and K 5,{2,3,5,8} in turn. For each remaining pair, compute the value of (S 5,i, S 5,i ) for i 5 and i=8. Keep these pairs satisfying the equations S 5, = (P ( C )) and S 5,l = (P ( C )) l (P ( C )) (l=2, 3, 5, 8). The expected number of remaining pairs is about Next guess K 5,{6,7} and calculate the outputs of the -th round.. Since K, = K (60 63), we calculate the value of S, for each remaining pair. Keep these pairs satisfying S, = (P ( C )). The expected number of remaining pair is about Guess K 5, as step of Case in section 3.. If one joint subkey is left, then we recover the master key, else try another differential of. 6

7 Case 2 a = 0 and b 0, or a 0 and b = 0. We attack the same example as Case 2 in section 3.. The 8-round differential and the corresponding subkey are and kl (2 8) = K (3 37) K (25 27) = 0 (7) (7), respectively.. Select 2.6 structures of ciphertexts. Each structure contains 2 80 ciphertexts, the right halves of whose differences have the form P(h 0 0 0h 0 0 0) with h and h being non-zero bytes. Decrypt them and obtain the corresponding plaintexts. 2. s step 2 of Case, we guess 57 bits of K and build 2.6 hash tables to collect some plaintext-ciphertext pairs satisfying (, )=(a , P(g )) with a and g being non-zero bytes and a () = 0. The expected number of remaining pairs is about Guess K 5,. For each remaining pair, we calculate the value of (S 5,, S 5, ) and verify whether the equation S 5, = (P ( C )) holds. If S 5, = (P ( C )) for some pair, this pair will be kept. Next guess K 5,8, and compute the value of (S 5,8, S 5,8 () ) for every remaining pair. If S 5,8 (P ( C )) () 8 for one pair, then this pair will be discarded. Finally, guess K 5,l (2 l 7). Keep those pairs satisfying these equations S 5,i = (P ( C )) i ( S 5,8 (P ( C )) 8 ) (2 8) 0(i= 6, 7) and S 5, j = (P ( C )) j S 5,8 (P ( C )) 8 S 5,7 (P ( C )) 7 ( j=2, 3,, 5). In total, the expected number of remaining pairs is about Because K, = K (60 63) and K,5 = K (28 35), we compute (S,{,5}, S,{,5} ) for each remaining pair. Discard those pairs satisfying S,{,5} (P ( C )) {,5}. Finally, about 2.6 pairs will be kept. 5. Guess K 5, as before. If is an impossible differential, the expected number of remaining wrong subkey is about 2 29 ( 2 8 ) 2.6. We only recover the secret key if one joint subkey is kept. Case 3 a 0 and b 0. We attack an example, i.e., the 8-round differential is. The corresponding subkey is kl (2 8) = K (3 37) K (25 27) K (0 3) = ().. Choose the same structures of ciphertexts as Case 2. We totally collect ciphertext pairs. 2. ike step 2 of Case 2, guess the remaining 57 bits of K. For each structure, we build a hash table of plaintextcphertexts indexed by the value of ( (),, (8),5, (2 8), ( 7),5,,{2 },,{6 8}, (P ( )) {2 }, (P ( )) {6 8} ). Then any two plaintexts in the same row of one hash table forms a pair whose input difference in the 5-th round has the form (a a 0 0 0, P(g g 0 0 0)) with a, a, g and g being non-zero bytes, a (2 8) = a ( 7) and a () = a (8) = 0. Therefore, the expected number of remaining pairs is about s steps 3 and of Case 2 in this section, guess K 5 and K,{,5}. Finally, about pairs will be kept.. This step is the same as step 5 of Case 3 in section 3.. The scenario that one subkey is left will be considered. Complexity. For three cases, the time complexity of Case 3 is maximal, i.e., about round encryptions. Therefore, the total time complexity is approximately = round encryptions. The date and memory complexities are chosen ciphertexts and = bytes, respectively.. Impossible Differential Cryptanalysis of -ound Camellia-256 In this section, we mount an impossible differential attack on -round Camellia-256 from rounds 0 to 23. Since the attack procedure is similar to above section, we will briefly introduce the whole attack as follows. Case a = b = 0. The 8-round differential and the corresponding subkey are and kl (2 8) = 0 (), respectively. 3 6 = K (6 67) K ( 20). Select 2 67 structures of plaintexts. Each structure contains 2 55 plaintexts with the form (P(α x x 2 x 3 x x 5 x 6 x 7 ), P(α 2 α 3 α α 5 α 6 x 8 x 9 α 7 )), whereα i ( i 7, i 5) andα (2 8) 5 take all possible values andα () 5 and x j ( j 9) are fixed. 2. Guess 66 bits of K, i.e., K (09 27) K (0 6). Since K 0 = (K 5) = K (09 27) K (0 ) and K 23 = (K ) = K ( 27) K (0 6), we partially encrypt plaintexts to obtain inputs of the -th round and decrypt corresponding ciphertexts to derive outputs of the 22-nd round. For each structure, we insert plaintext-ciphertexts into a hash table indexed by the value of ( 0,{2 8}, (P ( 0 )) {2 8}, (P ( 22 )) (), (P ( 22 )) {6,7} ). ny two plaintextciphertexts in the same row of this hash table forms a pair. Its input difference in the -th round and the right half 7

8 of its output difference in the 22-nd round satisfy (a , P(g )) and P(h h 2 b h 3 b b h b 0 0 h 5 b) with a, g, b, h i ( i 5) being non-zero bytes and a () = b () = 0. Thus the expected number of remaining pairs is about = Guess K, = K (5 52). For each remaining pair, we calculate S,. Keep these pairs satisfying S, = (P ( 0 )). bout 2 pairs will be kept.. Because K 22,3 = K (6 53), we only guess one bit of K 22,3, i.e., K (8) 22,3 = K(53). For each remaining pair, we calculate the value of (S 22,3, S 22,3 ). Keep those pairs satisfying S 22,3= (P ( 2 )) 3. The expected number of remaining pairs is about Next guess K 22,2 = K (38 5). In fact, we only guess 7 bits of K 22,2 because we have known the value of K (8) 22,2. Keep those pairs satisfying S 22,2= (P ( 2 )) 2. The expected number of remaining pairs is about Finally, guess K 22,i for i 8 in turn. Discard those pairs satisfying S 22,i (P ( 2 )) i. The expected number of remaining pairs is about Guess K 22, and compute the inputs of the 2-st round. 5. Guess K 2,, K 2, and K 2, j ( j=2, 3, 5, 8) in turn. For each remaining pair, we compute the value of (S 2, j, S 2, j ). Keep those pairs satisfying S 2, = (P ( 20 )) and S 2, j = (P ( 20 )) j (P ( 20 )). The expected number of remaining pairs is about 2 5. Finally, guess K 2,{6,7} = K (6 3) K ( 2). s a matter of fact, we only guess 9 bits because we have known the value of K ( 20). Compute the outputs of the 20-th round. 6. Guess K 20,. For each remaining pair, we calculate the value of ( S 20,, (P ( 9 )) ). emove these guessed subkeys such that S 20, is equal to (P ( 9 )) for one pair. If is an 8-round impossible differential, the expected number of remaining wrong subkeys is about 2 95 ( 2 8 ) 25. We recover the secret key from this guessed subkey when one subkey is left. Case 2 a = 0 and b 0, or a 0 and b = 0. We attack one example, i.e., the 8-round differential is. The corresponding subkey is kl (2 8) 3 6 = K (6 67) K ( 20) = 0 (7) (7).. Choose structures of plaintexts, which have the same form as above Case in this section. 2. Guess K 0, K 23 and K,, i.e., 66 bits of K and 8 bits of K. For each plaintext of any structure, compute outputs of the -th and 22-nd rounds. Insert these plaintext-ciphertexts into a hash table indexed by (,,{2 8} ). ny two pairs in the same row of the hash table forms a pair whose output difference in the -th round satisfies ( , a ). The expected number of remaining pairs is approximately = Guess K 22,3, K 22,2, K 22,i (i =, 6, 7, 8) in turn. For each remaining pair, calculate the intermediate value of (S 22, j, S 22, j ) (2 j 8, j 5). Keep those pairs satisfying S 22, j= (P ( 2 )) j. The expected number of remaining pairs is about Guess K 22,{,5} and compute the outputs of the 2-st round.. Guess K 2,, K 2,7, K 2,l (2 l 8, l 7) in turn. Keep those pairs satisfying these equations S 2, = (P ( 20 )), S (8) 2,7 = (P ( 20 )) (8) 7, S 2,6= S 2,7 (P ( 20 )) 7 (P ( 20 )) 6, S 2,8 = (P ( 20 )) 8 0 ( S 2,7 (P ( 20 )) 7 ) 7, S 2,i = (P ( 20 )) i S 2,7 (P ( 20 )) 7 S 2,8 (P ( 20 )) 8 (2 i 5). The expected number of remaining pairs is about Guess K 20,5. Keep those pairs satisfying S 20,5 = (P ( 20 )) 5. bout 2 5. pairs will be left. Next guess K 20,. If S 20, = (P ( 20 )) for one pair, we remove this guessed subkey. The expected number of remaining wrong subkeys is about ( 2 8 ) 25. if is an impossible differential. When one subkey is left, we recover the secret key by the key schedule. Case 3 a 0 and b 0. We attack the special example, i.e., the 8-round differential is. The corresponding subkey is kl (2 8) 3 6 = K (6 67) K ( 20) = ().. Select 2 2. structures of plaintexts. Each structure contains 2 80 plaintexts with the form (P(α x x 2 x 3 α 2 x x 5 x 6 ), α 3 α α 5 α 6 α 7 α 8 α 9 α 0 ), whereα i ( i 0) take all possible values and x j ( j 6) are fixed. 2. Guess K 0, K 23 and K,{,5} as before. Partially encrypt the plaintexts to derive outputs of -th round and decrypt the corresponding ciphertexts to get outputs of 22-nd round. Insert these plaintext-ciphertexts into the hash table indexed by (, (),,,{2 }, 8,5,,{6 8}, (2 8), ( 7),5 ). ny two plaintext-ciphrtetxs in the same row of the hash table forms a pair whose output difference in the -th round have the form ( , a a 0 0 0) with a () = a (8) = 0 and a (2 8) = a ( 7). The expected number of remaining pairs is about = Guess K 22, K 2, K 20,{,5} as above Case 2. Finally, we recover the secret key by the key schedule when one joint subkey is left. Otherwise try another differential of. 8

9 Complexity. Similarly, we analyze the time complexity of each case. We find that the time complexity of Case 3 is maximal, i.e., round encryptions. Thus the total time complexity is about round encryptions. The data and memory complexities are chosen plaintexts and 2 3. bytes. 5. Conclusion In this paper, we have presented the best known attacks on Camellia-92/256 by making full use of the relation between the 8-round differentials of the set and the values of the subkey. On the one hand, we mount a chosen plaintext attack on 2-round Camellia-92 from rounds 3 to and a chosen ciphertext attack on 3-round Camellia-92 from rounds 3 to 5. The time complexity of our attack on 2-round Camellia-92 is about round encryptions, which is times faster than previously known best results on 2-round Camellia-92. The corresponding memory complexity is about bytes, which is times smaller than previously known best results on 2-round Camellia-92. More importantly, the attack on 3-round Camellia-92 is presented for the first time. On the other hand, we successfully mount an improved impossible differential attack on -round Camellia-256 with chosen ciphertexts, round encryptions and 2 3. bytes. Compared with the previously fastest known attack on - round Camellia-256, the time and memory complexities of our attack are reduced by and 2 6. times and the data complexity is comparable. eferences [] oki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: 28-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.., Tavares, S.E. (eds.) Selected reas in Cryptography. ecture Notes in Computer Science, vol. 202, pp Springer (2000) [2] Bai, D., i,.: New impossible differential attacks on camellia. In: yan, M.D., Smyth, B., Wang, G. (eds.) ISPEC. ecture Notes in Computer Science, vol. 7232, pp Springer (202) [3] Chen, J., Jia, K., Yu, H., Wang, X.: New impossible differential attacks of reduced-round Camellia-92 and Camellia-256. In: Parampalli, U., Hawkes, P. (eds.) CISP. ecture Notes in Computer Science, vol. 682, pp Springer (20) [] International Standardization of Organization (ISO): International standard - ISO/IEC Tech. rep., Information technology - Security techniques - Encryption algrithm - Part 3: Block Ciphers (July 2005) [5] ee, S., Hong, S., ee, S., im, J., Yoon, S.: Truncated differential cryptanalysis of Camellia. In: Kim, K. (ed.) ICISC. ecture Notes in Computer Science, vol. 2288, pp Springer (200) [6] ei, D., i, C., Feng, K.: New observation on Camellia. In: Preneel, B., Tavares, S.E. (eds.) Selected reas in Cryptography. ecture Notes in Computer Science, vol. 3897, pp Springer (2005) [7] ei, D., i, C., Feng, K.: Square like attack on Camellia. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS. ecture Notes in Computer Science, vol. 86, pp Springer (2007) [8] i,., Chen, J., Wang, X.: Security of reduced-round Camellia against impossible differential attack. IC Cryptology eprint rchive 20, 52 (20) [9] iu, Y., Gu, D., iu, Z., i, W.: Improved results on impossible differential cryptanalysis of reduced-round Camellia-92/256. Journal of Systems and Software (202), accepted [0] iu, Y., i,., Gu, D., Wang, X., iu, Z., Chen, J., i, W.: New observations on impossible differential cryptanalysis of reduced-round Camellia. In: FSE (202), to appear [] u, J., Kim, J., Keller, N., Dunkelman, O.: Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY. In: Malkin, T. (ed.) CT-S. ecture Notes in Computer Science, vol. 96, pp Springer (2008) [2] u, J., Wei, Y., Kim, J., Fouque, P..: Cryptanalysis of reduced versions of the Camellia block cipher. In: Preproceeding of SC (20) [3] u, J., Wei, Y., Kim, J., Pasalic, E.: The higher-order meet-in-the-middle attack and its application to the Camellia block cipher. In: P- resented in part at the First sian Workshop on Symmetric Key Cryptography (SK 20) (ugst 20), a full version is available at [] Mala, H., Shakiba, M., Dakhilalian, M., Bagherikaram, G.: New results on impossible differential cryptanalysis of reduced-round Camellia- 28. In: Jr., M.J.J., ijmen, V., Safavi-Naini,. (eds.) Selected reas in Cryptography. ecture Notes in Computer Science, vol. 5867, pp Springer (2009) [5] Shirai, T.: Differential, linear, boomerange and rectangle cryptanalysis of reduced-round Camellia. Proceedings of 3rd NESSIE Workshop, Munich, Germany (November ) [6] Sugita, M., Kobara, K., Imai, H.: Security of reduced version of the block cipher Camellia against truncated and impossible differential cryptanalysis. In: Boyd, C. (ed.) SICYPT. ecture Notes in Computer Science, vol. 228, pp Springer (200) [7] Wu, W., Feng, D., Chen, H.: Collision attack and pseudorandomness of reduced-round Camellia. In: Handschuh, H., Hasan, M.. (eds.) Selected reas in Cryptography. ecture Notes in Computer Science, vol. 3357, pp Springer (200) [8] Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of reduced-round I and Camellia. J. Comput. Sci. Technol. 22(3), 9 56 (2007) 9

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,

More information

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer

More information

New Observation on Camellia

New Observation on Camellia New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University

More information

Differential Attack on Five Rounds of the SC2000 Block Cipher

Differential Attack on Five Rounds of the SC2000 Block Cipher Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com

More information

Impossible Differential Attacks on 13-Round CLEFIA-128

Impossible Differential Attacks on 13-Round CLEFIA-128 Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential

More information

Complementing Feistel Ciphers

Complementing Feistel Ciphers Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,

More information

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Security of the SMS4 Block Cipher Against Differential Cryptanalysis Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security

More information

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

Differential-Linear Cryptanalysis of Serpent

Differential-Linear Cryptanalysis of Serpent Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

FFT-Based Key Recovery for the Integral Attack

FFT-Based Key Recovery for the Integral Attack FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose

More information

Impossible Boomerang Attack for Block Cipher Structures

Impossible Boomerang Attack for Block Cipher Structures Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible

More information

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,

More information

Related-Key Rectangle Attack on 42-Round SHACAL-2

Related-Key Rectangle Attack on 42-Round SHACAL-2 Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20

More information

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,

More information

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National

More information

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an

More information

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

A Unified Method for Finding Impossible Differentials of Block Cipher Structures A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai

More information

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my

More information

Security of SM4 Against (Related-Key) Differential Cryptanalysis

Security of SM4 Against (Related-Key) Differential Cryptanalysis Security of SM4 Against (Related-Key) Differential Cryptanalysis Jian Zhang 1,2, Wenling Wu 1(B), and Yafei Zheng 1 1 Institute of Software, Chinese Academy of Sciences, Beijing 100190, China {zhangjian,wwl,zhengyafei}@tca.iscas.ac.cn

More information

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL

More information

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information

More information

The Security of Abreast-DM in the Ideal Cipher Model

The Security of Abreast-DM in the Ideal Cipher Model The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds

More information

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

S-box (Substitution box) is a basic component of symmetric

S-box (Substitution box) is a basic component of symmetric JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates

More information

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Improved Multiple Impossible Differential Cryptanalysis of Midori128 Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

Key classification attack on block ciphers

Key classification attack on block ciphers Key classification attack on block ciphers Maghsood Parviz Mathematical Sciences Department Sharif University of Technology Tehran, IAN maghsoudparviz@alum.sharif.ir Saeed Mirahmadi Pooyesh Educational

More information

Linear Cryptanalysis of Reduced-Round Speck

Linear Cryptanalysis of Reduced-Round Speck Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be

More information

Cryptanalysis of a Multistage Encryption System

Cryptanalysis of a Multistage Encryption System Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering

More information

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit

More information

New Results on Boomerang and Rectangle Attacks

New Results on Boomerang and Rectangle Attacks New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline

More information

Specification on a Block Cipher : Hierocrypt L1

Specification on a Block Cipher : Hierocrypt L1 Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................

More information

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low

More information

Linear Cryptanalysis

Linear Cryptanalysis Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations

More information

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,

More information

Block Ciphers and Systems of Quadratic Equations

Block Ciphers and Systems of Quadratic Equations Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium

More information

Linear Cryptanalysis Using Multiple Approximations

Linear Cryptanalysis Using Multiple Approximations Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128 Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128 Sareh Emami 2, San Ling 1, Ivica Nikolić 1, Josef Pieprzyk 3 and Huaxiong Wang 1 1 Nanyang Technological University, Singapore

More information

MasterMath Cryptology /2 - Cryptanalysis

MasterMath Cryptology /2 - Cryptanalysis MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions

More information

A Byte-Based Guess and Determine Attack on SOSEMANUK

A Byte-Based Guess and Determine Attack on SOSEMANUK A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy

More information

Cryptanalysis of Hummingbird-2

Cryptanalysis of Hummingbird-2 Cryptanalysis of Hummingbird-2 Kai Zhang, Lin Ding and Jie Guan (Zhengzhou Information Science and Technology Institute, Zhengzhou 450000, China) Abstract: Hummingbird is a lightweight encryption and message

More information

Linear Cryptanalysis of Reduced-Round PRESENT

Linear Cryptanalysis of Reduced-Round PRESENT Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable

More information

Improved S-Box Construction from Binomial Power Functions

Improved S-Box Construction from Binomial Power Functions Malaysian Journal of Mathematical Sciences 9(S) June: 21-35 (2015) Special Issue: The 4 th International Cryptology and Information Security Conference 2014 (Cryptology 2014) MALAYSIAN JOURNAL OF MATHEMATICAL

More information

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com

More information

Type 1.x Generalized Feistel Structures

Type 1.x Generalized Feistel Structures Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized

More information

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Five-Round Algebraic Property of the Advanced Encryption Standard A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science

More information

A Byte-Based Guess and Determine Attack on SOSEMANUK

A Byte-Based Guess and Determine Attack on SOSEMANUK A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy

More information

Subspace Trail Cryptanalysis and its Applications to AES

Subspace Trail Cryptanalysis and its Applications to AES Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic

More information

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin

More information

Revisit and Cryptanalysis of a CAST Cipher

Revisit and Cryptanalysis of a CAST Cipher 2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia

More information

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony Orr Dunkelman, Nathan Keller, and Adi Shamir Faculty of Mathematics and Computer Science Weizmann Institute of

More information

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China

More information

On Feistel Structures Using a Diffusion Switching Mechanism

On Feistel Structures Using a Diffusion Switching Mechanism On Feistel Structures Using a Diffusion Switching Mechanism Taizo Shirai and Kyoji Shibutani Sony Corporation, Tokyo, Japan {Taizo.Shirai, Kyoji.Shibutani}@jp.sony.com Abstract. We study a recently proposed

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

Security Analysis of the Block Cipher SC2000

Security Analysis of the Block Cipher SC2000 Security Analysis of the Block Cipher SC2000 VERSION 1.1 FINAL REPORT Alex Biryukov University of Luxembourg, Luxembourg Ivica Nikolić Nanyang Technological University, Singapore Contents 1 Introduction

More information

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,

More information

New Block Cipher: ARIA

New Block Cipher: ARIA This is the accepted version of LNCS 97 pp.43-445 (004, presented at ICISC 003. https://doi.org/0.007/978-3-540-469-6_3 New Block Cipher: ARIA Daesung Kwon, Jaesung Kim, Sangwoo Park, Soo Hak Sung 3, Yaekwon

More information

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium, The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.

More information

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Ciphertext-only Cryptanalysis of a Substitution Permutation Network Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation

More information

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Jiqiang Lu 1, Wun-She Yap 1,2, and Yongzhuang Wei 3,4 1 Institute for Infocomm Research, Agency for Science, Technology and Research

More information

Linear and Differential Cryptanalysis of SHA-256

Linear and Differential Cryptanalysis of SHA-256 Journal of the Faculty of Environmental Science and Technology, Okayama University Vol.lO, No.!, pp.l 7, February 2005 Linear and Differential Cryptanalysis of SHA-256 WANG Xiao Dong l, Hirofumi ISHIKAWA

More information

Security of the AES with a Secret S-box

Security of the AES with a Secret S-box Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How

More information

Some attacks against block ciphers

Some attacks against block ciphers Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3

More information

Chapter 2 - Differential cryptanalysis.

Chapter 2 - Differential cryptanalysis. Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered

More information

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,

More information

Cryptanalysis of the SIMON Family of Block Ciphers

Cryptanalysis of the SIMON Family of Block Ciphers Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building

More information

Extended Criterion for Absence of Fixed Points

Extended Criterion for Absence of Fixed Points Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper

More information

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]

More information

Revisiting AES Related-Key Differential Attacks with Constraint Programming

Revisiting AES Related-Key Differential Attacks with Constraint Programming Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine

More information

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 Andrey Bogdanov 1 and Elmar Tischhauser 2 1 Technical University of Denmark anbog@dtu.dk 2 KU Leuven and iminds, Belgium

More information

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Cryptanalysis of SP Networks with Partial Non-Linear Layers Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,

More information

Analysis of SHA-1 in Encryption Mode

Analysis of SHA-1 in Encryption Mode Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars

More information

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/

More information

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,

More information

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by

More information

Structural Cryptanalysis of SASAS

Structural Cryptanalysis of SASAS tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which

More information

Differential Cache Trace Attack Against CLEFIA

Differential Cache Trace Attack Against CLEFIA Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in

More information

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer

More information

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48 Improved inear Cryptanalysis of reduced-round SIMON-32 and SIMON-48 Mohamed Ahmed Abdelraheem, Javad Alizadeh 2, Hoda A. Alkhzaimi 3, Mohammad eza Aref 2, Nasour Bagheri 4, and Praveen Gauravaram 5 SICS

More information

A Brief Comparison of Simon and Simeck

A Brief Comparison of Simon and Simeck A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based

More information

New Combined Attacks on Block Ciphers

New Combined Attacks on Block Ciphers New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute

More information

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang

More information

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,

More information

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015 Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size

More information

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/

More information

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract

More information

Solution of Exercise Sheet 7

Solution of Exercise Sheet 7 saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,

More information

Cryptanalysis of a computer cryptography scheme based on a filter bank

Cryptanalysis of a computer cryptography scheme based on a filter bank NOTICE: This is the author s version of a work that was accepted by Chaos, Solitons & Fractals in August 2007. Changes resulting from the publishing process, such as peer review, editing, corrections,

More information

The 128-Bit Blockcipher CLEFIA (Extended Abstract)

The 128-Bit Blockcipher CLEFIA (Extended Abstract) The 2-Bit Blockcipher CLEFIA (Extended Abstract) Taizo Shirai, Kyoji Shibutani,ToruAkishita, Shiho Moriai, and Tetsu Iwata 2 Sony Corporation -7- Konan, Minato-ku, Tokyo -75, Japan {taizo.shirai,kyoji.shibutani,toru.akishita,shiho.moriai}@jp.sony.com

More information

Linear Cryptanalysis of RC5 and RC6

Linear Cryptanalysis of RC5 and RC6 Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be

More information