Differential Attack on Five Rounds of the SC2000 Block Cipher
|
|
- Shanon Atkins
- 5 years ago
- Views:
Transcription
1 Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands Abstract. SC2 is a 28-bit block cipher with a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds if a 28-bit user key is used. It is a CRYPTREC recommended e-government cipher. In this paper we describe one 4.75-round differential characteristic with probability 2 26 of SC2 and thirty 4.75-round differential characteristics with probability Finally, we exploit these 4.75-round differentials to conduct a differential cryptanalysis attack on a 5-round reduced version of SC2 when used with a 28-bit key. The attack suggests for the first time that the safety margin of SC2 with a 28-bit key decreases below one and a half rounds. Key words: Block cipher, SC2, Differential cryptanalysis Introduction The SC2 block cipher [, 2] has a 28-bit block size and a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds for a 28-bit user key, and a total of 7.5 rounds for a 92 or 256-bit key. It was designed to have high performance on a wide range of platforms from the low-end processors used in smart cards and mobilephones to the high-end ones that will be available in the near future by suitably implementing it in each platform, and also to have high security [3]. In 22, SC2 became a CRYPTREC recommended e- government cipher [4], after a thorough analysis of its security and performance. In this paper we consider the version of SC2 that uses 28 key bits. The SC2 designers [, 2] first analysed the security of SC2 against differential cryptanalysis [5] as well as certain other cryptanalytic methods, such The work was done when the author was with Royal Holloway, University of London (UK). This paper was published in Postproceedings of INSCRYPT 9 The 5th China International Conference on Information Security and Cryptology, Beijing, CHINA, Feng Bao, Moti Yung, Dongdai Lin and Jiwu Jing (eds), Volume 65 of Lecture Notes in Computer Science, pp. 5 59, Springer-Verlag, 2.
2 2 Table. Cryptanalytic results on SC2 Attack T ype Rounds Data T ime Source Boomerang attack ACPC 2 67 Memory accesses [8] Rectangle attack CP Memory accesses [8] Linear attack KP Memory accesses [2] KP Memory accesses [2] Differential attack CP 2 Encryptions [7] CP 2 2 Memory accesses [2] CP 2 32 Memory accesses This paper as linear cryptanalysis [6]. In 2, Raddum and Knudsen [7] presented a differential attack on 4.5-round SC2, which is based on two 3.5-round differential characteristics with probabilities 2 6 and 2 7, respectively. In 22, by exploiting a few short differentials with large probabilities, Biham et al. [8] presented boomerang [9] and rectangle [] attacks on 3.5-round SC2, following the work described in []. In the same year, Yanami et al. [2] described a 2-round iterative differential characteristic with probability 2 58, and obtained a 3.5-round differential characteristic with probability 2 by concatenating the 2-round differential twice and then removing the first half round; finally they presented a differential attack on 4.5-round SC2 with a time complexity smaller than that of the attack of Raddum and Knudsen. Yanami et al. also presented linear attacks on 4.5-round SC2. These are the best previously published cryptanalytic results on SC2 in terms of the numbers of attacked rounds. In this paper we describe one 4.75-round differential characteristic with probability 2 26 and thirty 4.75-round differential characteristics with probability 2 27, building on the two-round iterative differential characteristic with probability 2 58 of Yanami et al. Finally, using these 4.75-round differential characteristics we present a differential cryptanalysis attack on 5-round SC2, faster than an exhaustive key search. The attack is the first published attack on 5- round SC2. Table sumarises both the previous and our new cryptanalytic results on SC2, where ACPC, CP and KP respectively refer to the required numbers of adaptive chosen plaintexts and ciphertexts, chosen plaintexts, and known plaintexts. The remainder of this paper is organised as follows. In the next section, we give the notation, and describe differential cryptanalysis and the SC2 block cipher. In Section 3, we give the 4.75-round differential characteristics. In Section 4, we present our differential attack on 5-round SC2. Section 5 concludes the paper.
3 3 2 Preliminaries In this section we give the notation used throughout this paper, and then briefly describe differential cryptanalysis and the SC2 cipher. 2. Notation In all descriptions we assume that the bits of a n-bit value are numbered from to n from left to right, the most significant bit is the -th bit, a number without a prefix expresses a decimal number, and a number with prefix x expresses a hexadecimal number. We use the following notation. bitwise logical exclusive OR (XOR) operation bitwise logical AND operation functional composition. When composing functions X and Y, X Y denotes the function obtained by first applying X and then applying Y exchange of the left and right halves of a bit string X bitwise logical complement of a bit string X 2.2 Differential Cryptanalysis Differential cryptanalysis [5] takes advantage of how a specific difference in a pair of inputs of a cipher can affect a difference in the pair of outputs of the cipher, where the pair of outputs are obtained by encrypting the pair of inputs using the same key. The notion of difference can be defined in several ways; the most widely discussed is with respect to the XOR operation. The difference between the inputs is called the input difference, and the difference between the outputs of a function is called the output difference. The combination of the input difference and the output difference is called a differential. The probability of a differential is defined as follows. Definition. If α and β are n-bit blocks, then the probability of the differential (α, β) for a block cipher E, written α β, is defined to be Pr E ( α β) = Pr P {,} n(e(p ) E(P α) = β). For a random function, the expected probability of a differential for any pair (α, β) is 2 n. Therefore, if Pr E ( α β) is larger than 2 n, we can use the differential to distinguish E from a random function, given a sufficient number of chosen plaintext pairs. 2.3 The SC2 Block Cipher SC2 takes as input a 28-bit plaintext. For simplicity, we describe the plaintext P as four 32-bit words (d, c, b, a). The following three elementary functions I, B and R are used to define the SC2 round function, as shown in Fig..
4 4 I B I S mask M L S 6 S 6 M mask R function S 6 R function Fig.. The round function of SC2 The I function: the bitwise logical XOR () operation of the 28-bit input with a 28-bit round subkey of four 32-bit words. The B function: a non-linear substitution, which applies the same 4 4 S- box S 4 32 times in parallel to the input. For a 28-bit input (d, c, b, a ), the output (d, c, b, a ) is obtained in the following way: (d k, c k, b k, a k ) = S 4 (d k, c k, b k, a k ), where X k is the k-th bit of the word X ( k 3). The R function: a substitution-permutation Feistel structure, which consists of three subfunctions S, M and L. Each of the right two 32-bit words of the input to the R function is divided into 6 groups containing 6, 5, 5, 5, 5 and 6 bits, respectively. These six groups are then passed sequentially through the S function, consisting of two 6 6 S-boxes S 6 and four 5 5 S-boxes, and the linear M function that consists of bit words (M[],, M[3]). Given an input a, the output of the M function is defined as a M[] a 3 M[3]. The outputs of the two M functions are then input to the L function. For a 64-bit input (a, b ) the output of the L function is defined as ((a mask)b, (b mask)a ), where mask is a constant (and mask is the complement of mask). Two masks x and x
5 5 are used in SC2, in the even and odd rounds, respectively. Finally, the output of the L function is XORed with the left two 32-bit words of the input to the R function, respectively. We denote the L and R functions with mask x as L 5 and R 5, respectively, and the L and R functions with mask x as L 3 and R 3, respectively. The round function of SC2 is made up of two I functions, one B function and two R functions. We write Kj i for the subkey used in the jth I function of Round i, and write Kj,l i for the l-th bit of Ki j, where i 6, j =,, l 27. The full 6.5-round encryption procedure of SC2 can be described as: I K B I K R 5 R 5 I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6 B I K 6. Note that we refer to the first round as Round. See [2] for its key schedule Round Differential Characteristics of SC2 In this section we describe the 4.75-round differential characteristics Round Iterative Differential Characteristic of Yanami et al. In 22, Yanami et al. [2] described the results of a search over all the possible two-round iterative differential characteristics with only one active S function in every round for any two consecutive rounds I B I R 5 R 5 I B I R 3 R 3. Their result is that the best two-round iterative differential characteristic (i.e. that with the highest probability) is (α, β, β, ) (α, β, β, ) with probability 2 58 : (α, β, β, ) I B I/2 5 (β,,, ) R 3 R 3 /2 6 γ = x2. (, β,, ) R5 R5/2 6 (β, γ,, β) I B I/2 (α, β, β, ), where α = x2, β = x244 and 3.2 The 4.75-Round Differential Characteristics As a result, we can obtain a 4-round differential characteristic (α, β, β, ) (α, β, β, ) with probability 2 6 by concatenating the above two-round iterative differential twice. It is essential to try to exploit an efficient (i.e. with a relatively high probability) differential operating over more than four rounds in order to break more rounds of SC2. However, this 4-round differential cannot be extended to a differential characteristic operating over more than four rounds with a probability larger than 2 28, as appending even a half round R 3 R 3 at the beginning will cost a probability of 2 6 and appending a B function at the end will cost at least a probability of 2 3. Nevertheless, observe that from the above two-round iterative differential characteristic it follows that two-round iterative differential characteristic (β, γ,, β) (β, γ,, β) for any two consecutive rounds I B I R 3 R 3 I B I R 5 R 5 also holds with a probability of 2 58 : (β, γ,, β) I B I/2
6 6 (x244,,, x244) L 3 L 3 L 5 L 5 I B I (x244,,, ) (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) L 3 L 3 L 5 L 5 (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) L 3 (x244, ) (, ) Fig. 2. A 4.75-round differential characteristic with probability 2 26 (β,,, ) R3 R3/2 6 (α, β, β, ) I B I/2 5 (, β,, ) R5 R5/2 6 (β, γ,, β). It might seem counter-intuitive at first, but there is a major difference between this and the previous iterative 2-round differential characteristic: we can append a.75-round differential characteristic (β, γ,, β) I B I R3 (β,,, ) with a probability of 2 at the end of this differential characteristic! Therefore, we can obtain a 4.75-round differential characteristic (β, γ,, β) (β,,, ) with probability By changing the input difference to the difference (β,,, β) we can get a 4.75-round differential characteristic with probability 2 26, and this 4.75-round differential characteristic is depicted in Fig. 2. When we change the input difference for only one of the five active S 4 S-boxes to a value in {x, x2, x6, x7, xd, xf }, we get a total of thirty 4.75-round differential
7 7 characteristics with probability We denote by Ω the set of the 3 input differences for the thirty-one 4.75-round differential characteristics. The differential distribution table of the S 4 S-box is given in [2], and the differential distribution table of the S-box is shown in Table 2 in Appendix A. (The characteristics do not make an active S 6 S-box, so we do not give its differential distribution table.) In a natural way, we might try to find a better differential characteristic on greater than four rounds by first exploiting short differentials with similar structures and then concatenating them, for the above 4.75-round differential obtained from the two-round iterative differential is just a special case among these. Motivated by this idea, we perform a computer search over all the possible differentials for such one round R R I B I with only one R function active and the right two 32-bit input differences and one of the left two 32- bit input differences being zero; moreover, in order to ensure that the resulting differential is capable of being concatenated with itself, we also require that the right two 32-bit output words and one of the left two 32-bit output words have a zero difference. Surprisingly, we find that the differential characteristics (β,,, ) R 3 R 3 I B I (, β,, ) and (, β,, ) R 5 R 5 I B I (β,,, ) in the above two-round iterative differential are the best (i.e. with the highest probabilities) among those with the same forms, respectively. Our search for other similar forms gives no better result. 4 Differential Attack on 5-Round SC2 In this section, we present a differential cryptanalysis attack on 5 rounds of SC2 when used with a 28-bit key. 4. Preliminary Results We first concentrate on the propagation of the output difference of the round differential characteristic described above through the following R 3 I K 6 operation. The output difference (β,,, ) will definitely propagate to a difference with the form ( Y x , Y, β, ) after the following R 3 function, where Y GF (2 32 ). Since the function has a uniform differential probability of 2 4, there are totally 2 6 possible values for Y ; we denote the set of all the 2 6 possible differences ( Y x , Y, β, ) by Γ. The difference ( Y x , Y, β, ) will be kept after the following linear I K 6 function. On the other hand, having known the 28-bit difference after the I K 6 function for a ciphertext pair, we only need to guess the 64 subkey bits (K,64, 6, K,27) 6 of K 6 to check whether this pair could produce the difference (β,,, ) just before the adjacent R 3 function. For our case, as a candidate difference just after the I K 6 function should be with the form ( Y x , Y, β, ), we only need to guess the 2 subkey bits K,7, 6, K,89 6 corresponding to the four active S-Boxes in the adjacent R 3 function to determine whether a ciphertext
8 8 pair with a candidate difference could produce the output difference of the above 4.75-round differential characteristics. 4.2 Attack Procedure By using the 4.75-round differential characteristics, we can mount a differential attack on the following 5 rounds of SC2: I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6. The attack procedure is as follows.. Choose 2 7 structures, where a structure is defined to be a set of 2 2 plaintexts with the 2 bits for the five active S 4 S-boxes taking all the possible values and the other 8 bits fixed. In a chosen-plaintext attack scenario, obtain the corresponding ciphertexts. Keep only the plaintext pairs that have a difference belonging to the set Ω and whose ciphertext pairs have a difference belonging to the set Γ. 2. Guess the 2 subkey bits (K,7, 6, K,89) 6 of K 6 in the I K 6 function, and do as follows. (a) For every remaining ciphertext pair: Partially decrypt the corresponding 2 bits of the two ciphertexts through the I K 6 function and the four active S-boxes in the adjacent R 3 operation, compute the 64-bit difference just after the L 3 operation in the R 3 operation, then XOR it with the left 64-bit difference of the ciphertext pair, and finally check whether the resultant 64-bit difference is zero. (b) Count the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero, and record this number for the guessed (K,7, 6, K,89). 6 Repeat Step 2 with another guess; and go to Step 3 if all the guesses are tested. 3. For each of the top m ranking guesses for (K,7, 6, K,89) 6 according to the numbers recorded in Step 2(b), (specific values of m will be given below), exhaustively search for the remaining 8 key bits with two known plaintext/ciphertext pairs. If a 28-bit key is suggested, output it as the user key of the 5-round SC Complexity Analysis The attack requires 2 27 chosen plaintexts. Typically, encrypting chosen plaintexts is assumed to be done by some challenger who holds the user key (i.e. the challenger s running time), and is not counted as part of the time complexity of an attack. In Step, it is expected that 2 7 (22 ) plaintext 5 pairs remain after the filtering condition about Ω, and = ciphertext pairs remain after the filtering condition about Γ; and it requires about memory accesses to filter out the satisfying ciphertext pairs. Strictly speaking, this is a little more than 5 rounds.
9 9 The time complexity of Step 2 is dominated by the partial decryptions, which is approximately round SC2 encryptions. Step 3 has a time complexity of m round SC2 encryptions. The signal-to-noise ratio for the attack is In Step 2(b), for the correct 28 key guess the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero is expected to be ( ) = 6. According to Theorem 3 of [3], we have that the success probability for the attack is about 67% when m =, and is about 98.7% when m = Conclusions SC2 is a 28-bit block cipher, which is one of the CRYPTREC e-government Recommended Ciphers. In this paper we have described a few 4.75-round differential characteristics with a probability of larger than Finally, using the 4.75-round differential characteristics we have presented a differential attack on 5-round SC2 when used with 28 key bits. The presented attack is theoretical, like most cryptanalytic attacks on block ciphers; and from a cryptanalytic view it suggests for the first time that the safety margin of SC2 with a 28-bit key decreases within one and a half rounds. Acknowledgments The author is very grateful to Prof. Chris Mitchell and the anonymous referees for their editorial comments. References. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The SC2 block cipher. In Proceedings of the First Open NESSIE Workshop, Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The block cipher SC2. In: Matsui, M. (ed.) FSE 2. LNCS, vol. 2355, pp Springer, Heidelberg (22) 3. Fujitsu Laboratories, te/crypto/sc2.html 4. Cryptography Research and Evaluatin Committees CRYPTREC Report 22. Available at 5. Biham, E., Shamir, A.: Differential cryptanalysis of the Data Encryption Standard. Springer-Verlag (993). 6. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 993. LNCS, vol. 765, pp Springer, Heidelberg (994) 7. Raddum, H., Knudsen, L.R.: A differential attack on reduced-round SC2. In: Vaudenay, S., Youssef, A. (eds.) SAC 2. LNCS, vol. 2259, pp Springer, Heidelberg (2)
10 8. Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp. 6. Springer, Heidelberg (22) 9. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 999. LNCS, vol. 636, pp Springer, Heidelberg (999). Biham, E., Dunkelman, O., Keller, N.: The rectangle attack rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2. LNCS, vol. 245, pp Springer, Heidelberg (2). Dunkelman, O., Keller, N.: Boomerang and rectangle attacks on SC2. In Proceedings of the Second Open NESSIE Workshop, Yanami, H., Shimoyama, T., Dunkelman, O.: Differential and linear cryptanalysis of a reduced-round SC2. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp Springer, Heidelberg (22) 3. Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. Journal of Cryptology 2(), 3 47 (28) A The Differential Distribution Table of the S-box
11 Table 2. The differential distribution table of the S-box input
Differential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationRelated-Key Rectangle Attack on 42-Round SHACAL-2
Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationSecurity Analysis of the Block Cipher SC2000
Security Analysis of the Block Cipher SC2000 VERSION 1.1 FINAL REPORT Alex Biryukov University of Luxembourg, Luxembourg Ivica Nikolić Nanyang Technological University, Singapore Contents 1 Introduction
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationImpossible Boomerang Attack for Block Cipher Structures
Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Jiqiang Lu 1, Wun-She Yap 1,2, and Yongzhuang Wei 3,4 1 Institute for Infocomm Research, Agency for Science, Technology and Research
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationImproving the Time Complexity of Matsui s Linear Cryptanalysis
Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationKFC - The Krazy Feistel Cipher
KFC - The Krazy Feistel Cipher Thomas Baignères and Matthieu Finiasz EPFL CH-1015 Lausanne Switzerland http://lasecwww.epfl.ch Abstract. We introduce KFC, a block cipher based on a three round Feistel
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2
t m Mathematical Publications DOI: 10.2478/v10127-012-0037-5 Tatra Mt. Math. Publ. 53 (2012), 21 32 ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2 Michal Braško Jaroslav Boor
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationRoyal Holloway University of London
Projective Aspects of the AES Inversion Wen-Ai Jackson and Sean Murphy Technical Report RHUL MA 2006 4 25 November 2005 Royal Holloway University of London Department of Mathematics Royal Holloway, University
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationKey classification attack on block ciphers
Key classification attack on block ciphers Maghsood Parviz Mathematical Sciences Department Sharif University of Technology Tehran, IAN maghsoudparviz@alum.sharif.ir Saeed Mirahmadi Pooyesh Educational
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More informationExperimenting Linear Cryptanalysis
Experimenting Linear Cryptanalysis Baudoin Collard, François-Xavier Standaert UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationA Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony
A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony Orr Dunkelman, Nathan Keller, and Adi Shamir Faculty of Mathematics and Computer Science Weizmann Institute of
More informationCryptanalysis of Hummingbird-2
Cryptanalysis of Hummingbird-2 Kai Zhang, Lin Ding and Jie Guan (Zhengzhou Information Science and Technology Institute, Zhengzhou 450000, China) Abstract: Hummingbird is a lightweight encryption and message
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationImproved Slide Attacks
Improved Slide Attacs Eli Biham 1 Orr Dunelman 2 Nathan Keller 3 1 Computer Science Department, Technion. Haifa 32000, Israel biham@cs.technion.ac.il 2 Katholiee Universiteit Leuven, Dept. of Electrical
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationResearch Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4
Hindawi ecurity and Communication Networks Volume 2017, Article ID 1461520, 10 pages https://doi.org/10.1155/2017/1461520 Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher tandard
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More information