observations on the simon block cipher family
|
|
- Isabel Williams
- 6 years ago
- Views:
Transcription
1 observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany
2 lightweight cryptography
3 Lightweight Cryptography What is Lightweight Cryptography? Design primitives for resource-constraint environments like RFID tags. Lot of attention over the last few years. NIST started to investigate the possibility to standardize primitives. Design Criteria Chip-area Latency Code-size... 2
4 SIMON Simon is a family of block ciphers designed by NSA. Published in 2013 on the eprint archive. Lightweight design for hardware. block size key sizes , , , , 192, 256 3
5 SIMON Feistel Network Simple round function Between 32 and 72 rounds S 8 S 1 S 2 K i 4
6 SIMON Cryptanalysis of Simon No (public) cryptanalysis or security arguments from the designers. Many contributions by the cryptographic community. Attacks cover up to 74% of the rounds. 5
7 properties of simon
8 Differential and Linear Any cipher should have reasonable security margin against differential and linear cryptanalysis. For SPN designs easier to show bounds. Difficult for ARX, Simon. Best attacks on Simon are based on differential and linear cryptanalysis. 7
9 Differential Cryptanalysis Differential Cryptanalysis: Observe how difference propagate through the round function. Find correlations between input and output difference. x α = x x x f f y β = y y y 8
10 Differential Cryptanalysis We are interested in: Probability for one round: x α x Pr(α f β) Differential characteristics: Pr(α f β f γ) f f Differentials: Pr(α f x f γ) y β y x 9
11 Differential Cryptanalysis We are interested in: x α x Probability for one round: Pr(α f β) f f Differential characteristics: Pr(α f β f γ) y β y Differentials: Pr(α f x f γ) f f x z γ z 9
12 Differential Cryptanalysis We are interested in: x α x Probability for one round: Pr(α f β) f f Differential characteristics: Pr(α f β f γ) Differentials: Pr(α f x f γ) f f x z γ z 9
13 Differential and Linear For the analysis we use an equivalent representation for Simon S 8 S 1 S 2 K i 10
14 Differential and Linear For the analysis we use an equivalent representation for Simon S 1 K i 10
15 Differential and Linear We look at a message m = (m n 1,..., m 1, m 0 ) and an input difference d = (d n 1,..., d 1, d 0 ). The output difference f(m) f(m d) is then given by: 0, if d i = 0 and d i 1 = 0 D i (m, d) = 11
16 Differential and Linear We look at a message m = (m n 1,..., m 1, m 0 ) and an input difference d = (d n 1,..., d 1, d 0 ). The output difference f(m) f(m d) is then given by: 0, if d i = 0 and d i 1 = 0 m i, if d i = 0 and d i 1 = 1 D i (m, d) = 11
17 Differential and Linear We look at a message m = (m n 1,..., m 1, m 0 ) and an input difference d = (d n 1,..., d 1, d 0 ). The output difference f(m) f(m d) is then given by: 0, if d i = 0 and d i 1 = 0 m i, if d i = 0 and d i 1 = 1 D i (m, d) = m i 1, if d i = 1 and d i 1 = 0 11
18 Differential and Linear We look at a message m = (m n 1,..., m 1, m 0 ) and an input difference d = (d n 1,..., d 1, d 0 ). The output difference f(m) f(m d) is then given by: 0, if d i = 0 and d i 1 = 0 m i, if d i = 0 and d i 1 = 1 D i (m, d) = m i 1, if d i = 1 and d i 1 = 0 m i m i 1, if d i = 1 and d i 1 = 1. (1) 11
19 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) 12
20 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) 0 12
21 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) m
22 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) m 2 m
23 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) m 2 m 2 m
24 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) m 4 m 2 m 2 m
25 Differential and Linear Let us now look at a first example. Let n = 6, and d = We then calculate D(m, d) using the above bitwise definition of D: i d S 1 (d) (2) D(m, d) 0 m 4 m 2 m 2 m 0 0 Resulting difference only depends on m 0, m 2, m 4. Therefore we have 8 possible output differences. 12
26 Differential and Linear Can compute the differential probability with simple bit operations. The bits which can be non-zero at the output: varibits = α S 1 (α) (3) The bits which have to be equal to their right neighbour: doublebits = α S 1 (α) S 2 (α) (4) 13
27 Differential and Linear For our previous example: varibits = doublebits = Possible output differences:
28 Differential and Linear For our previous example: varibits = doublebits = Possible output differences:
29 Differential and Linear For our previous example: varibits = doublebits = Possible output differences:
30 Differential and Linear A valid differential (α β) has to satisfy: There can only be a difference at β i, if varibits i is equal to 1. If doublebits i is 1, then β i = β i 1. The probability is then given by: Pr(α β) = 2 wt(varibits doublebits) (5) 17
31 Differential and Linear A valid differential (α β) has to satisfy: There can only be a difference at β i, if varibits i is equal to 1. If doublebits i is 1, then β i = β i 1. The probability is then given by: Pr(α β) = 2 wt(varibits doublebits) (5) 17
32 Differential and Linear Apply affine transformation for Simon round function. Proofs in the paper. Similar approach for linear cryptanalysis. 18
33 finding optimal differential and linear characteristics
34 Optimal Characteristics We are interested in differential and linear characteristics with high probability. We use an approach based on SAT/SMT solvers, similar to results on Salsa20 [MP13] or NORX [AJN15]. Gives upper bounds on the probability. Estimate probability of the differentials. Open Source
35 Optimal Characteristics x i y i S 8 S 1 S 2 z i Constraints: Use our previous observations on varibits and doublebits. Probability for one round is w i = wt(varibits doublebits). x i+1 y i+1 21
36 Lower Bounds Use this to find characteristic with probability 2 w : Add constraints for each round. Check if w = r 1 w i. i=0 Increase w if no solution was found. We ran experiments for Simon32, Simon48 and Simon64. 22
37 Lower Bounds 2 50 Probability of best characteristic Simon Number of Rounds 23
38 Lower Bounds 2 50 Probability of best characteristic Simon32 Simon Number of Rounds 23
39 Lower Bounds 2 50 Probability of best characteristic Simon32 Simon48 Simon Number of Rounds 23
40 Differentials What about differentials? Often assumed that probability of the best characteristics can be used to estimate probability of the best differential. Only inaccurate estimate for Simon. We estimate the probability of a differential Add constraints for each round. Set (x 0, y 0 ) = in and (x r, y r ) = out. Find all solutions for increasing values of w. 24
41 Differentials We can determine the interval for the characteristics contributing to a differential [w min, w max ]. Covering the whole interval is computationally expensive. Gives better estimate than previous results. Cipher Rounds w min w max log 2 (p) Simon (91) Simon (68) Simon (89)
42 Differentials 2 20 #Characteristics Probability of one characteristic 26
43 Differentials Differential Probability Probability Probability of one characteristic 27
44 Differentials Differential Probability Probability Measured DP Probability of one characteristic 27
45 Differentials Differential Probability Seconds Probability Measured DP Probability of one characteristic 27
46 Differentials Differential Probability Seconds 3 Hours Probability Measured DP Probability of one characteristic 27
47 Differentials Differential Probability Seconds 3 Hours 1 Month Probability Measured DP Probability of one characteristic 27
48 rotation constants
49 Rotation Constants Possible Criteria: Simplicity Implementation costs Security? Are there parameters which are better with regard to some metrics? 29
50 Rotation Constants Basic test for diffusion: Block size Standard parameters Best possible Rank 2nd 2nd 2nd 3rd 4th 30
51 Rotation Constants Bounds for differential and linear characteristics give us some interesting candidates: The bounds are as good as the original parameters or slightly better. Simon[12, 5, 3] offers best diffusion. Simon[7, 0, 2] offers best diffusion, when b = 0. Simon[1, 0, 2] has bad diffusion, but good bounds. 31
52 Rotation Constants Bounds for differential and linear characteristics give us some interesting candidates: The bounds are as good as the original parameters or slightly better. Simon[12, 5, 3] offers best diffusion. Simon[7, 0, 2] offers best diffusion, when b = 0. Simon[1, 0, 2] has bad diffusion, but good bounds. What effect do the rotations constants have on differentials? 31
53 Rotation Constants Number of Characteristics Simon32[8, 1, 2] Probability of one characteristic 32
54 Rotation Constants Number of Characteristics Simon32[8, 1, 2] Simon32[7, 0, 2] Probability of one characteristic 32
55 Rotation Constants Number of Characteristics Simon32[8, 1, 2] Simon32[7, 0, 2] Simon32[1, 0, 2] Probability of one characteristic 32
56 Rotation Constants Number of Characteristics Simon32[8, 1, 2] Simon32[7, 0, 2] Simon32[1, 0, 2] Simon32[12, 5, 3] Probability of one characteristic 32
57 Conclusion Contributions: Constant time algorithm for differential probability. Bounds on the probability of differential/linear characteristics. Compared quality of rotation constants. Open Problems: More refined analysis of the parameter space. Find efficient method to determine differential effect for different constants. 33
58 questions? 34
59 References I Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves, Analysis of NORX: investigating differential and rotational properties, Progress in Cryptology - LATINCRYPT 2014 (Diego F. Aranha and Alfred Menezes, eds.), Lecture Notes in Computer Science, vol. 8895, Springer, 2015, pp Farzaneh Abed, Eik List, Stefan Lucks, and Jakob Wenzel, Differential cryptanalysis of round-reduced SIMON and SPECK, Fast Software Encryption, FSE 2014 (Carlos Cid and Christian Rechberger, eds.), Lecture Notes in Computer Science, vol. 8540, Springer, 2015, pp
60 References II Alex Biryukov, Arnab Roy, and Vesselin Velichkov, Differential analysis of block ciphers SIMON and SPECK, Fast Software Encryption, FSE 2014 (Carlos Cid and Christian Rechberger, eds.), Lecture Notes in Computer Science, vol. 8540, Springer, 2015, pp Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers, The SIMON and SPECK families of lightweight block ciphers, Cryptology eprint Archive, Report 2013/404, 2013, Nicky Mouha and Bart Preneel, Towards finding optimal differential characteristics for ARX: Application to Salsa20, Cryptology eprint Archive, Report 2013/328, 2013, 36
A Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationBit-Based Division Property and Application to Simon Family
Bit-Based Division Property and Application to Simon Family Yosuke Todo 1,2 and Masakatu Morii 2 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp 2 Kobe University, Kobe, Japan
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationDifferential Fault Analysis on the families of SIMON and SPECK ciphers
Differential Fault Analysis on the families of SIMON and SPECK ciphers Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay Indian Institute of Technology, Kharagpur Abstract. In 2013, the US National
More informationAlgebraic Analysis of the Simon Block Cipher Family
Algebraic Analysis of the Simon Block Cipher amily Håvard Raddum Simula Research Laboratory, Norway Abstract. This paper focuses on algebraic attacks on the Simon family of block ciphers. We construct
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationOn the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants
On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants Kota Kondo 1, Yu Sasaki 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k kondo@echo.nuee.nagoya-u.ac.jp
More informationIIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67
IIT KHARAGPUR Differential Fault Analysis on the Families of SIMON and SPECK Ciphers Authors: Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) FDTC 2014 South Korea, Busan September
More informationDifferential Analaysis of Block Ciphers SIMON and SPECK
1 / 36 Differential Analaysis of Block Ciphers SIMON and SPECK Alex Biryukov, Arnab Roy, Vesselin Velichkov 2 / 36 Outline Introduction Light-Weight Block Ciphers: SIMON and SPECK Differential Anlaysis
More informationImproved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48
Improved inear Cryptanalysis of reduced-round SIMON-32 and SIMON-48 Mohamed Ahmed Abdelraheem, Javad Alizadeh 2, Hoda A. Alkhzaimi 3, Mohammad eza Aref 2, Nasour Bagheri 4, and Praveen Gauravaram 5 SICS
More informationRotational Cryptanalysis in the Presence of Constants
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur 1 and Yunwen Liu 1,2 1 Dept. Electrical Engineering (ESAT), KU Leuven and iminds, Leuven, Belgium 2 College of Science, National University
More informationAutomatic Search for A Variant of Division Property Using Three Subsets (Full Version)
Automatic Search for A Variant of Division Property Using Three Subsets (Full Version) Kai Hu, Meiqin Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationSTP Models of Optimal Differential and Linear Trail for S-box Based Ciphers
STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers Yu Liu 1,2, Huicong Liang 1, Muzhou Li 1, Luning Huang 1, Kai Hu 1, Chenhe Yang 1, and Meiqin Wang 1,3 1 Key Laboratory of Cryptologic
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationBeijing , China
Automatic ecurity Evaluation and (Related-key) Differential Characteristic earch: Application to IMON, PREENT, LBlock, DE(L) and Other Bit-oriented Block Ciphers iwei un 1,2, Lei Hu 1,2, Peng Wang 1,2,
More informationRotational Cryptanalysis of ARX Revisited
Rotational Cryptanalysis of ARX Revisited Dmitry Khovratovich 1, Ivica Nikolić 2, Josef Pieprzyk 3, Przemys law Soko lowski 4, Ron Steinfeld 5 1 University of Luxembourg, Luxembourg 2 Nanyang Technological
More informationOn the pseudo-random generator ISAAC
On the pseudo-random generator ISAAC Jean-Philippe Aumasson FHNW, 5210 Windisch, Switzerland Abstract. This paper presents some properties of he deterministic random bit generator ISAAC (FSE 96), contradicting
More informationAutomatic Search for Differential Trails in ARX Ciphers (extended version)
Automatic Search for Differential Trails in ARX Ciphers (extended version) Alex Biryukov and Vesselin Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg {Alex.Biryukov,Vesselin.Velichkov}@uni.lu
More informationOptimal Differential Trails in SIMON-like Ciphers
Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu 1,2, Yongqiang Li 1,2,3, Mingsheng Wang 1,2 1 State Key Laboratory of Information Security,Institute of Information Engineering, Chinese Academy
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationModified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha
Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha Tsukasa Ishiguro KDDI R&D Laboratories Inc. 2-1-15 Ohara, Fujimino, Saitama 356-8502, Japan tsukasa@kddilabs.jp 1
More informationThe SHA Family of Hash Functions: Recent Results
The SHA Family of Hash Functions: Recent Results Christian Rechberger Vincent Rijmen {Christian.Rechberger,Vincent.Rijmen}@iaik.tugraz.at Institute for Applied Information Processing and Communications
More informationMILP-aided Cryptanalysis of Round Reduced ChaCha
MILP-aided Cryptanalysis of Round Reduced ChaCha Najwa Aaraj, Florian Caullery and Marc Manzano DarkMatter, UAE Abstract The inclusion of ChaCha20 and Poly1305 into the list of supported ciphers in TLS
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationHaraka v2 Efficient Short-Input Hashing for Post-Quantum Applications
Haraka v2 Efficient Short-Input Hashing for Post-Quantum Applications Stefan Kölbl 1, Martin M. Lauridsen 2, Florian Mendel 3 and Christian Rechberger 1,3 1 DTU Compute, Technical University of Denmark,
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationA Practical Key Recovery Attack on Basic TCHo
A Practical Key Recovery Attack on Basic TCHo Mathias Herrmann and Gregor Leander 2 Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum Germany mathias.herrmann@rub.de 2
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures
Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes
More informationPreimage Attacks on 3, 4, and 5-pass HAVAL
Preimage Attacks on 3, 4, and 5-pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationLinear Cryptanalysis Using Low-bias Linear Approximations
Linear Cryptanalysis Using Low-bias Linear Approximations Tomer Ashur 1, Daniël Bodden 1, and Orr Dunkelman 2 1 Dept. Electrical Engineering, COSIC-imec, KU Leuven, Belgium [tashur,dbodden]@esat.kuleuven.be
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles
Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland
More informationCount November 21st, 2017
RUHR-UNIVERSITÄT BOCHUM XOR Count November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer XOR Count November 21st, 2017 1 Overview Joint
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationA Collision-Attack on AES Combining Side Channel- and Differential-Attack
A Collision-Attack on AES Combining Side Channel- and Differential-Attack Kai Schramm, Gregor Leander, Patrick Felke, and Christof Paar Horst Görtz Institute for IT Security Ruhr-Universität Bochum, Germany
More informationSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles
Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra, Goutam Paul, Willi Meier To cite this version: Subhamoy Maitra, Goutam Paul, Willi Meier. Salsa0 Cryptanalysis: New Moves and
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationAnalysis of NORX: Investigating Differential and Rotational Properties.
Analysis of NORX: Investigating Differential and Rotational Properties Jean-Philippe Aumasson 1, Philipp Jovanovic 2, and Samuel Neves 3 1 Kudelski Security, Switzerland jeanphilippe.aumasson@gmail.com
More informationLinear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander, Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr University Bochum Block Cipher Design k KS m
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationChoosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationAnalysis of AES, SKINNY, and Others with Constraint Programming
Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1,4 David Gerault 2 Pascal Lafourcade 2 Qianqian Yang 1,4 Yosuke Todo 3 Kexin Qiao 1,4 Lei Hu 1,4 1 Institute of Information Engineering,
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationOn periods of Edon-(2m, 2k) Family of Stream Ciphers
On periods of Edon-2m, 2k Family of Stream Ciphers Danilo Gligoroski,2, Smile Markovski 2, and Svein Johan Knapskog Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationPractical Free-Start Collision Attacks on full SHA-1
Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie
More informationDifferential Analysis of the LED Block Cipher
Differential Analysis of the LED Block Cipher Florian Mendel, Vincent Rijmen, Deniz Toz, Kerem Varıcı KU Leuven, ESAT/COSIC and IBBT, Belgium {florian.mendel,vincent.rijmen,deniz.toz,kerem.varici}@esat.kuleuven.be
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationA New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Waterloo,
More informationMultiplicative Complexity Reductions in Cryptography and Cryptanalysis
Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1 Presentation Overview Linearity
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationRotational cryptanalysis of round-reduced Keccak
Rotational cryptanalysis of round-reduced Keccak Pawe l Morawiecki 1,3, Josef Pieprzyk 2, and Marian Srebrny 1,3 1 Section of Informatics, University of Commerce, Kielce, Poland pawelm@wsh-kielce.edu.pl
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLightweight Cryptography and Cryptanalysis
Middle East Technical University (Turkey) RUHR University Bochum (Germany) Applied Cryptanalysis Workshop Ankara TURKEY 27-28 April 2017 Outline 1 A Brief History 2 Lightweight Ciphers 3 New techniques
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationDirect Construction of Lightweight Rotational-XOR MDS Diffusion Layers
Direct Construction of Lightweight Rotational-XOR MDS Diffusion Layers Zhiyuan Guo 1,2, Renzhang Liu 3, Wenling Wu 1,2, and Dongdai Lin 3 1 Institute of Software, Chinese Academy of Sciences, Beijing,
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationAnalysis of Differential Attacks in ARX Constructions
.. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationCryptanalysis of block EnRUPT
Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from
More information