Integrals go Statistical: Cryptanalysis of Full Skipjack Variants
|
|
- Amie Fox
- 5 years ago
- Views:
Transcription
1 Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China; DTU SE Bochum, ermany
2 Background and Contributions 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 2 / 23
3 Background and Contributions Background Integral Distinguisher Proposed by Knudsen to attack against Square SE 97 Unified by Knudsen and Wagner as Integral SE 2 Saturation Distinguisher by SE 1 Multiset Distinguisher by Biryukov and EUROCRYPT 1 Based upon balancedness property or zero-sum property Integral Zero-Correlation Distinguisher Proposed by Bogdanov et ASIACRYPT 12 Conditional equivalence of zero-correlation and integral (balancedness) distinguisher Statistical Saturation Distinguisher Proposed by Collard and CT-RSA 9 Utilize advantage (bias or capacity) on the output side Complexity estimation by EUROCRYPT 11 Targets PRESENT and PUIN etc. where integral attack is less efficient Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 3 / 23
4 Background and Contributions Motivations and Contributions Motivations: or integral distinguisher, data complexity is determined by taking all values at certain input bits often the bottleneck of an integral attack is the data complexity desirable (possible) to tradeoff from data towards time Contributions: Propose a novel statistical integral distinguisher which requires less data Traverse s bits at the input and consider balance of t bits at the output, data complexity O(2 s ) O(2 s t/2 ) ull-round cryptanalysis of Skpjack-BABABABA for the first time Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 4 / 23
5 Statistical Integral Distinguisher 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 5 / 23
6 Statistical Integral Distinguisher Integral Distinguisher Target Cipher Decomposition H : n 2 n 2 is a (part of) cipher: H : r 2 s 2 t 2 u 2, Denote T λ as H(x,y) = ( H1 (x,y) H 2 (x,y) ). r x n s y H(x,y) T λ : s 2 t 2, Integral Distinguisher T λ (y) = H 1 (λ,y). H 1 H 2 If y takes all possible values of s 2, T λ (y) is uniformly distributed with probability one. Towards Statistical Integral Distinguisher If y takes considerable number (but not all) of values in s 2, the distribution of T λ (y) for the cipher can be distinguished from a distribution for a random permutation. t m u Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 6 / 23
7 Statistical Integral Distinguisher Statistical Integral Distinguisher Different Distributions T λ : s 2 t 2, distribution. T λ (y) = H 1 (λ,y) follows multivariate hypergeometric t-bit value chosen randomly from an uniform distribution follows multinomial distribution. Towards Distinguish Different Distributions Suppose N different values of y are needed to distinguish the above two distributions. t-bit value T λ (y) t 2 is computed for each y. Counter vector V[T λ (y)]: the number of each value T λ (y). Consider the following statistic: 2 t 1 (V[T C = λ (y)] N 2 t ) 2 N 2 T λ (y)= t. (1) Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 7 / 23
8 Statistical Integral Distinguisher Statistical Integral Distinguisher 2 t 1 (V[T C = λ (y)] N 2 t ) 2 N 2 T λ (y)= t Based on the well-known Pearson s χ 2 statistical result, we can get: or right key guess: 2 s 1 2 s N C cipher χ 2 (2 t 1) or wrong key guess: C random χ 2 (2 t 1) act Suppose that χl 2 is the χ2 -distribution with degree of freedom l. or sufficiently large l, χl 2 converges to the normal distribution. That is, ( χl 2 appro N l, ) 2l. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 8 / 23
9 Statistical Integral Distinguisher Statistical Integral Distinguisher Statistic C follows different distributions for an actual cipher (right key guess) and a random permutation (wrong key guess). Proposition or sufficiently large N and t, the statistic C follows a normal distribution for the cipher approximately with mean and variance µ = Exp(C cipher ) = (2 t 1) 2s N 2 s 1 and σ 2 = Var(C cipher) = 2(2 t 1)( 2s N 2 s 1 )2 and for a randomly drawn permutation with mean and variance µ 1 = Exp(C random ) = 2 t 1 and σ 2 1 = Var(C random) = 2(2 t 1). Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 9 / 23
10 Statistical Integral Distinguisher Data Complexity Corollary or type-i error probability α (the probability to wrongfully discard the cipher), type-ii error probability α 1 (the probability to wrongfully accept a randomly chosen permutation as the cipher), to distinguish a cipher and a randomly chosen permutation based on t-bit outputs when fixing r-bit inputs and randomly choosing values for s-bit inputs, the data complexity can be approximated by N = (2s 1)(q 1 α + q 1 α1 ) (2 t 1)/2 + q 1 α + 1, where q 1 α and q 1 α1 are the respective quantiles of the standard normal distribution. The statistic test is based on the decision threshold τ = µ + σ q 1 α1, if C τ, output cipher ; if C > τ, output random. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 1 / 23
11 Experimental Results 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 11 / 23
12 Experimental Results Experimental Results on AES Mini Variant of AES A brief introduction of AES Block size: 64 bits Cell size: 4 bits SB: S in LBlock SR: same to AES MC: the matrix used in MC M = The integral distinguisher used in our experiment is illustrated on the right. A 1 1 C C C A 1 R1: C A 1 1 C C C A 1 2 C C C C A 1 3 C SB C A 1 1 C C C A 1 2 C C C C A 1 C C C A 1 3 C SR A 1 1 C C C 2 C C C A 1 4 C C C A 1 3 C C C AK MC A 1 2 C C C A 1 4 A 1 3 C C C 4 C C C A 1 4 C C C A 1 1 C C C A 1 R2: A 1 1 C C C A 1 2 C C C A 1 3 C C C SB A 1 1 C C C A 1 1A 1 2A 1 3A 1 2 C C C A 1 A 1 3 C C C SR C C C A C C A 1 4 C C C A 1 3 C AK MC A 2 1A 2 2A 2 3A 2 4 A 3 1A 3 2A 3 3A 3 4 C C C C A C C A 4 1A 4 2A 4 3A 4 4 A 1 1A 1 2A 1 3A 1 4 A 1 1A 1 2A 1 3A 1 R3: A 2 1A 2 2A 2 3A 2 4 A 1 1A 2 1A 3 1A 4 4 A 3 1A 3 2A 3 3A 3 SB A 2 1A 2 2A 2 3A 2 1 A 1 1A 2 1A 3 1A A 3 1A 3 2A 3 3A 3 SR A 1 2A 2 2A 3 2A A 4 1A 4 2A 4 3A 4 4 A 1 3A 2 3A 3 3A 4 AK MC A 1 2A 2 2A 3 2A A 4 1A 4 2A 4 3A 4 3 A 1 3A 2 3A 3 3A 4 4 A 1 4A 2 4A 3 4A A 1 4A 2 4A 3 4A 4 4 A 1 1A 2 1A 3 1A 4 1 A 1 1A 2 1A 3 1A 4 R4: A 1 2A 2 2A 3 2A 4 1 A 1 1A 2 1A 3 1A 4 2 A 1 3A 2 3A 3 3A 4 SB A 1 2A 2 2A 3 2A 4 1 A 1 1A 2 1A 3 1A A 1 3A 2 3A 3 3A 4 SR A 2 2A 3 2A 4 2A A 1 4A 2 4A 3 4A 4 3 A 3 3A 4 3A 1 3A 2 AK A 2 2A 3 2A 4 2A A 1 4A 2 4A 3 4A 4 3 A 3 3A 4 3A 1 3A 2 4 A 4 4A 1 4A 2 4A A 4 4A 1 4A 2 4A 3 4 ig. 1: Integral property for 4-round AES* (The MC operation in the last round is omitted.) probabilities ˆα and ˆα1. The experiment results for ˆα and ˆα1 are compared with the theoretical values α and α1 in igure 2, which shows that the test results for the error probabilities are in good accordance with those for theoretical model. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 12 / 23
13 Experimental Results Experimental Results on AES Mini Variant of AES s = 16, t = 8; Set theoretical α =.2, and different values for N; Calculate theoretical α 1 and τ with Corollary; Compare the theoretical α, α 1 with empirical αˆ, αˆ 1..8 α.7 α1 ˆα.6 ˆα1 error probability log(n) The test results for the error probabilities are in good accordance with those for theoretical model. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 13 / 23
14 Key Recovery Attacks on Skipjack-BABABABA 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 14 / 23
15 Key Recovery Attacks on Skipjack-BABABABA Skipjack-BABABABA Designed by NSA 32 rounds 64-bit block size 8-bit key size unbalanced eistel network Rule A and Rule B Original: Skipjack-AABBAABB 24-round impossible differential 31-round attack by Biham et al. Variant: Skipjack-BABABABA 21-round impossible differential 3-round zero-correlation linear approximation 31-round attack by Bogdanov et al. Rule B Rule A Rule B Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 15 / 23
16 3-Round Integral Distinguisher of Skipjack-BABABABA L1 L1 Rule B Rule A Rule B M1 M1 Rule A M2 M2 M3 M3 M3 M4 Rule B L1 M1 M2 M2 +M5 R1 M4 M5 Rule A Rule B Rule A M6 M7 M6 M6 L2 L2 L2 M5 = Contradiction! At ASIACRYPT 212, Bogdanov et al. proposed 3-round ZC linear approximations for Skipjack-BABABABA, which are (L 1,,,L 1 ) (,L 2,L 2,) for non-zero L 1 and L 2. Conditional equivalence between ZC distinguisher and integral distinguisher gives the following 3-round integral distinguisher. Taking all 2 48 possible values for the input of round 2 (α 2,β 2,γ 2,δ 2 ),δ 2 = α 2, the set of all corresponding values for the output of round 31 β 32 γ 32 is balanced. M4 R2 R1 M5
17 Key Recovery Attacks on Skipjack-BABABABA Key Recovery Attack on ull-round Skipjack-BABABABA Consider only the integral property of the right half 8-bit of β 32 γ 32, namely βr 32 γ32 R s = 48, t = 8 Set α = 2 2.7, α 1 = 2 4 Need N = (α 2,β 2,γ 2,δ 2 = α 2 ) k 1 k 2 k 3 α 1 β 1 γ 1 δ 1 k 3-round Integral Zero-correlation Distinguisher k 4 a k 5 b d k 6 c k 7 1 α 2 β 2 γ 2 δ 2 (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ α 33 β 33 γ 33 δ 33 Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 17 / 23
18 Key Recovery Attacks on Skipjack-BABABABA Key Recovery Attack on ull-round Skipjack-BABABABA 1 for all values of (α 1, β 1, γ 1, δ 1 ) do 2 Store the plaintext-ciphertext. 3 for all 2 32 values of k, k 1, k 2, k 3 do 4 Compute α 2. 5 Construct (α 1, β 1, γ 1, α 2 ). 6 Ask the ciphertexts and increase V 1 [β 33 γr 33]. 7 for all 2 16 values of k 6, k 7 do 8 Update V 2 [d c γr 33]. 9 for all 2 8 values of k 5 do 1 Update V 3 [βr 33 γ33 R ]. 11 Compute the χ 2 -statistic C. 12 if C τ then 13 Search all right key candidates. Data: CP Time: Memory: Bytes k 1 k 2 k 3 32 α 1 β 1 γ 1 δ 1 k 3-round Integral Zero-correlation Distinguisher k 4 a k 5 b d k 6 c k 7 1 α 2 β 2 γ 2 δ 2 (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ 32 α 33 β 33 γ 33 δ 33 Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 18 / 23
19 Key Recovery Attacks on Skipjack-BABABABA k k 1 k 2 Key Recovery Attack on 31-Round Skipjack-BABABABA 1 Consider only the integral property of the right half 8-bit of β 32 γ 32, namely βr 32 γ32 R s = 48, t = 8 Set α = 2 3.7, α 1 = 2 16 Need N = (α 2,β 2,γ 2,δ 2 = α 2 ) 1 for all values of (α 2, β 2, γ 2, δ 2 = α 2 ) do 2 Ask the ciphertexts. 3 Increase V [β 33 γl 33] and V 1[β 33 γr 33]. 4 for all 2 16 values of k 6, k 7 do 5 Update V 2 [d c γr 33]. 6 for all 2 8 values of k 5 do 7 Update V 3 [β 32 γr 32]. 8 Compute the χ 2 -statistic C. if C τ then 9 Search all the right key candidates. k 3 32 α 2 β 2 γ 2 δ 2 3-round Integral Zero-correlation Distinguisher (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ 32 k 4 a k 5 b d k 6 c k 7 α 33 β 33 γ 33 δ 33 Data: CP Time: 2 48 Memory: Bytes Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 19 / 23
20 Key Recovery Attacks on Skipjack-BABABABA Summary of Key Recovery Attacks on Skipjack-BABABABA Attack Rounds Data Time Memory Ref. Integral ZC CP AISACRYPT 12 Statistical ingetral CP Here Statistical ingetral CP Here Memory measured in Bytes CP: Chosen Plaintext. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 2 / 23
21 Summarize 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 21 / 23
22 Summarize Summarize A new statistical integral distinguisher is proposed with reduced data complexity. The statistical distinguisher model is verified by experiments. The first attack on full-round Skipjack-BABABABA. Improve the integral attack on 31-round Skipjack-BABABABA. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 22 / 23
23 Thanks for Your Attention!
Integral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationOn Distinct Known Plaintext Attacks
Céline Blondeau and Kaisa Nyberg Aalto University Wednesday 15th of April WCC 2015, Paris Outline Linear Attacks Data Complexity of Zero-Correlation Attacks Theory Experiments Improvement of Attacks Multidimensional
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationLinks among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis
Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis Bing Sun 1,3, Zhiqiang Liu 2,3,, Vincent Rijmen 3, Ruilin Li 4, Lei Cheng 1, Qingju Wang 2,3, Hoda Alkhzaimi 5, Chao
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationImpossible Differential Cryptanalysis of Reduced-Round SKINNY
Impossible Differential Cryptanalysis of Reduced-Round SKINNY Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal,
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationAnalysis of AES, SKINNY, and Others with Constraint Programming
Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1,4 David Gerault 2 Pascal Lafourcade 2 Qianqian Yang 1,4 Yosuke Todo 3 Kexin Qiao 1,4 Lei Hu 1,4 1 Institute of Information Engineering,
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationNew Insights on AES-Like SPN Ciphers
New Insights on AES-Like SPN Ciphers Bing Sun 1,2,3, Meicheng Liu 3,4, Jian Guo 3, Longjiang Qu 1, Vincent Rijmen 5 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China,
More informationData complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationImproving the Algorithm 2 in Multidimensional Linear Cryptanalysis
Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis Phuong Ha Nguyen, Hongjun Wu, and Huaxiong Wang Division of Mathematical Sciences, School of Physical and Mathematical Sciences Nanyang
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationMultivariate Linear Cryptanalysis: The Past and Future of PRESENT
Multivariate Linear Cryptanalysis: The Past and Future of PRESENT Andrey Bogdanov, Elmar Tischhauser, and Philip S. Vejre Technical University of Denmark, Denmark {anbog,ewti,psve}@dtu.dk June 29, 2016
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationOn the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants
On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants Kota Kondo 1, Yu Sasaki 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k kondo@echo.nuee.nagoya-u.ac.jp
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationDifferential Analaysis of Block Ciphers SIMON and SPECK
1 / 36 Differential Analaysis of Block Ciphers SIMON and SPECK Alex Biryukov, Arnab Roy, Vesselin Velichkov 2 / 36 Outline Introduction Light-Weight Block Ciphers: SIMON and SPECK Differential Anlaysis
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationDifferential Cryptanalysis and Boomerang Cryptanalysis of LBlock
Differential Cryptanalysis and Boomerang Cryptanalysis of LBlock Jiageng Chen, Atsuko Miyaji To cite this version: Jiageng Chen, Atsuko Miyaji. Differential Cryptanalysis and Boomerang Cryptanalysis of
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationCorrelation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.
Correlation Attack to the Block Cipher RC5 and the Simplied Variants of RC6 Takeshi Shimoyama 3, Kiyofumi Takeuchi y, Juri Hayakawa y 3 Fujitsu Laboratories LTD. 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki
More informationAttack on Broadcast RC4
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. In
More informationImproving the Time Complexity of Matsui s Linear Cryptanalysis
Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationMultiple Differential Cryptanalysis: Theory and Practice
Multiple Differential Cryptanalysis: Theory and Practice Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.Gérard. Multiple differential cryptanalysis
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationLinear Cryptanalysis Using Multiple Linear Approximations
Linear Cryptanalysis Using Multiple Linear Approximations Miia HERMELIN a, Kaisa NYBERG b a Finnish Defence Forces b Aalto University School of Science and Nokia Abstract. In this article, the theory of
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationRelated Key Differential Cryptanalysis of Midori
Related Key Differential Cryptanalysis of Midori Using constraint programming David Gerault Pascal Lafourcade LIMOS, University Clermont Auvergne Gerault, Lafourcade Related Key Differential Cryptanalysis
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationRecent Cryptanalysis of RC4 Stream Cipher
28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk
More informationExperimenting Linear Cryptanalysis
Experimenting Linear Cryptanalysis Baudoin Collard, François-Xavier Standaert UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More information