Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
|
|
- Natalie Harrell
- 5 years ago
- Views:
Transcription
1 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China School of Telecommunications Engineering, idian University, i an. Shaanxi 77, P.R. China Abstract. CLEFIA is a 8-bit block cipher proposed by Sony Corporation in 7. Our paper introduces a new chosen text attack, the impossible differential-linear attack, on iterated cryptosystems. The attack is efficient for 6-round CLEFIA with whitening keys. In the paper, we construct a -round impossible differential-linear distinguisher. Based on the distinguisher, we present an effective attack on 6-round CLEFIA- 8 with data complexity of.7, recovering 96-bit subkeys in total. Our attack can also be applied to CLEFIA-9 and CLEFIA-56. Keywords:CLEFIA, impossible differential-linear cryptanalysis, impossible differential cryptanalysis, linear approximation. Introduction CLEFIA [6] is a 8-bit block cipher supporting key lengths of 8, 9 and 56 bits. It achieves enough immunity against known attacks and is flexible enough for efficient implementation in both hardware and software. As a block cipher proposed by Sony Corporation in 7, CLEFIA has received significant amount of cryptanalytic attention. However, except for the evaluation report [7] from the designer s, there are only a few significant cryptanalytic results about its security against various cryptanalytic techniques. At present, the most powerful attack on CLEFIA is a series of impossible differential attacks on reduced rounds of it. The first one is proposed by its designers in the evaluation report of CLEFIA [7]. In FSE 8, Tsunoo et al. introduced This work is supported by the National Natural Science Foundation of China (No.675, 6775), Beijing Natural Science Foundation (N.466), the th Five-year Cryptography Development Foundation of China (No.MMJJ6), the Fundamental Research Funds for the Central Universities, Scientific Research and Postgraduate Training Cooperation Project- Scientific Research Base-New Theory of Block Cipher and Obfuscation and their Application Research, and Foundation of State Key Laboratory of Information Security(Nos.-, --6). To whom correspondence should be addressed.
2 new 9-round impossible differentials for CLEFIA, and presented a -round attack on CLEFIA-8 with 8.9 chosen plaintexts and 9 encryptions[8]. Later, by the same impossible differential distinguisher, Zhang et al. presented an attack on 4-round CLEFIA, in which the design team pointed out a flaw and showed that it is not successful[9]. In IndoCrypt, Tezcan proposed improbable differential cryptanalysis and applied it to /4/5-round CLEFIA-8/96/56 by taking advantage of relations among the round keys [4]. Our Contribution. In this paper, we will propose a new method, the impossible differential-linear attack, to analyze the CLEFIA block cipher. By constructing a -round distinguisher, using the new method, and combining it with key relations we found, we propose an attack on 6-round CLEFIA-8 with data complexity of.7 and time complexity of.7. Furthermore, Appendix A presents another distinguisher construction. The attacks to another 6-round is also given in Appendix B, we also show an attack on 5-round CLEFIA-8 in Appendix C. Our attacks are more efficient comparison to the present results. In Appendix D we also provide some key relations. Outline.This paper is organized as follows: Section provides a brief description of CLEFIA, and Section introduces our new method of impossible differentiallinear attack. In section 4 we present details of the -round impossible differentiallinear distinguisher. The 6-round impossible differential-linear attack on CLEFIA- 8 is discussed in detail in section 5. We summarize our results in section 6. Description of CLEFIA. Notation a b : The concatenation of a and b; a (b) : b is the bit length of a; a T : The transposition of a vector a; P = (P, P, P, P ) : A 8-bit plaintext, P i {, } ( i ); C = (C, C, C, C ) : A 8-bit ciphertext, C i {, } ( i ); (i, i, i, i ) : The ith round input data, j i {, } : The OR value of and ;. CLEFIA CLEFIA is a 8-bit block cipher having a generalized Feistel structure with four -bit data lines. For the key lengths of 8, 9, and 56 bits, CLEFIA has 8,, and 6 rounds respectively. The encryption function uses four -bit whitening keys W K, W K, W K, W K {, } and r -bit round keys, where r is the number of rounds. i {, } ( i < r) represents round key, and W K, W K, W K, W K {, } are whitening keys. We denote d- branch r-round generalized Feistel network employed in CLEFIA as GF N d,r.
3 P P P P F WK F WK k k k k x S y x S y F F x x S S M y y 4 5 F F F k k k k r F r 4 F x x S S y y r r F WK F WK x x F S S M y y C C C C F (a) Encryption function ENC r (b) Functions and F Fig.. CLEFIA The encryption process can be seen in Fig. (a). The details of GF N 4,r are as follows: Step. T T T T P (P W K ) P (P W K ) Step. For i = to r do the following: T T F (T, i ), T T F (T, i+ ) T T T T T T T T Step. C C C C T (T W K ) T (T W K ) Each round contains two parallel F functions, F and F, and their structures are shown in Fig. (b) where S and S are 8 8-bit S-boxes. The details of F are as follows: Step. T T T T x, T i {, } 8, x {, } Step. T S (T ), T S (T ), T S (T ), T S (T ) Step. y = M (T, T, T, T ) T, y {, } F is defined by replacing the terms in F as follows: S is replaced with S, S with S, and M with M.
4 The two matrices M and M used in the F-functions are defined as follows. x x x4 x6 x x8 x xa M = x x x6 x4 x4 x6 x x, M = x8 x xa x x xa x x8 x6 x4 x x xa x x8 x. Key Scheduling For the 8-bit key, the Double Swap function Σ : {, } 8 {, } 8 is defined as follows: (8) [7 6] [ 7] [ 6] [64 ] where [a b] denotes a bit string cut from the a-th bit to the b-th bit of. Let K = K K K K be the key and L be an intermediate key, the key scheduling consists of the following steps: Step. L GF N 4, (CON,, CON, K,, K ) Step.W K W K W K W K K Step. For i= to 8 do the following: T L (CON 4+4i CON 4+4i+ CON 4+4i+ CON 4+4i+ ) L Σ(L) If i is odd: T T K 4i 4i+ 4i+ 4i+ T We need 6 constant values CON (s) ( s 59) in the 8-bit key scheduling algorithm. Let R = xb7e(= (e ) 6 ) and Q = x4f(= (π ) 6 ), where e is the base of the natural logarithm ( ) and π is the circle ratio ( ). CON (s) are generated by the following way, in which IV 8 = x48a(= ( ) 6 ) Step. T IV 8 Step. For j = to 9 do the following: CON j (T R) (T <<< ) CON j+ (T Q) (T <<< 8) T T x (mod z 6 + z 5 + z + z + z 5 + z 4 + ) The key relations we found are illustrated in Appendix D. The Impossible Differential-Linear Attack Inspired by the differential-linear attack, first introduced by Langford and Hellman in [], we propose a new cryptanalytic method called impossible differentiallinear attack, because it combines the impossible differential cryptanalysis and linear cryptanalysis together. The attack is not completely new, since the impossible differential attack and linear attack were typical and widely used in
5 previous attacks on various cryptosystems. However, no previous work has been done on combining these two together. The block cipher E is represented as E = E E, where E and E are two subciphers. We use an impossible differential Ω P Ω T with probability for E, and a linear approximation λ P λ T with probability / + q for E, where λ P Ω T is a fixed value π( or ). Our impossible differential-linear attack procedures are described as follows:. Encrypting stage: Let M be the set of chosen plaintext pairs whose difference P P is Ω P, we encrypt distinct plaintexts in M. In E, we have E (P ) E (P ) Ω T with probability. In E, we can get equations λ P E (P ) λ T E (E (P )) λ K K = () and λ P E (P ) λ T E (E (P )) λ K K =. Both of their probabilities are / + q. Consequently, using the piling up lemma presented in [5], we can get λ P (E (P ) E (P )) = λ T E (E (P )) λ T E (E (P )) () with probability / + q.. Decrypting stage: In this stage we will guess part of the subkeys. Then decrypt some rounds of the ciphertext pairs with the guessed subkeys. Decrypting process is also separated into two subciphers E and E, i.e., D = E E. In the first decrypting subcipher E, take λ P Ω T = π into Eq.(), it can be rewritten as λ T E (E (P ))λ T E (E (P )) = λ P Ω T = π. In fact, we just partially decrypt all ciphertext pairs (C, C )=(E (E (P )), E (E (P ))) with each guessed subkeys in the first decrypting subcipher E. The subkeys, with the maximal probability not suiting Eq.() λ P E (C) λ P E (C ) = π, () is regard as the correct subkeys. Denote the set of pairs satisfying E (C) E (C ) = Ω T as T, and denote the set of pairs satisfying λ P E (C) λ P E (C ) = π as V. It is certain that T V. Property. For T V, if an impossible map M V, another impossible map M T also holds. Proof. Assume that there is a map F : M T. Randomly choose p M, and compute t = F (p) T. Since T V, we can get t V, which indicates that there is t = F (p) V, i.e., the map F : M V holds. It contradicts to the known condition.
6 . Sieving stage: Guess part of the first rounds subkeys, and eliminate those wrong values by showing that the impossible property holds if these subkeys are used. That is, we eliminate those wrong values in terms of E (P ) E (P ) E (C) E (C ), where λ P E (C) λ P E (C ) = π. From Property, after sieving stage, the right values must satisfy that E (P ) E (P ) Ω T. Property. In Sieving stage, the success probability of sieving guessed values by E (P ) E (P ) E (C) E (C ), where λ P E (C) λ P E (C ) = π, is much higher than the filtering probability using E (P ) E (P ) Ω T. Proof. In Sieving stage, we eliminate those wrong guessed key values which satisfy Eq.(). When the number of eliminated values is less than the total number, the more eliminated values, the higher successful sieving probability. After the first decrypting subcipher E, The number of the key values satisfying Eq.() is (C) E (C ) = Ω T. more than the number of the wrong key values with E So Property is established. We named all the above as an impossible differential-linear distinguisher. The probability of our distinguisher is dominated by the above steps -, which can be estimated separately as follows. The success rates are /+q and in Encrypting stage and Decrypting stage, respectively. Because our elimination principle is sieving the values using the condition E (P ) E (P ) E (E (E (P ))) E (E (E (P ))), where λ P E (E (E (P ))) λ P E (E (E (P ))) = π, the total probability of our distinguisher is (/ + q ), i.e., / q. The key recovery attack requires about 8 O(q 4 ) chosen plaintext pairs. 4 The -Round Impossible Differential-Linear Distinguisher In this section, we first present a -round impossible differential-linear distinguisher, which consists of a 9-round impossible differential characteristic followed by a 4-round linear approximation Round Impossible Differential Characteristic Paper [8] presented several 9-round impossible differential characteristics. We choose the following one that is the most efficient and suitable to our attack: (, ϖ,, ) (, β,, ), where ϖ = (,,, x), β = (y,,, ) After the encryption of 9 rounds, the input difference of the th round cannot have the following form: 9 = ( 9, 9, 9, 9 ) = (β,,, ) (4) with probability as illustrated in Fig..
7 F F F F 9-round impossible differential characteristic 9 P F 9 9 F Q P F F Q P F, ), P F, ) Q ( ( Q T T Q P Q F F F, ), Q F, ) T ( ( T 4-round linear characteristic Q P T 4 5 Q P T F F F, 4), P F, 4 ) Q ( ( Q 4 P T P ' 9 P P T K K Fig.. -round impossible differential-linear distinguisher 4. 4-Round Linear Characteristic Here we will describe the construction of a 4-round linear characteristic illustrated in Fig., which is from round to round. Details of the 4-round linear characteristic are described as follows. In the th round, we get 9 =. In the th round, based on the definition of the round function F, we can get the following two equations: F (, ) =, =
8 Using linear approximations for the non-linear S-boxes in F, we can get the following equation. λ P F (, ) = λ Q λ Q As a result, the linear characteristic of the th round can be expressed by the following equation: λ P = λ P λ Q λ Q, p = / + q (5) Similarly, the linear characteristic of the th round can be expressed as λ Q = λ Q λ T λ T, p = / + q (6) In the th round, we can first get the following equation. F (, 4 ) =, = Next, we can choose an appropriate pair of values (λ P, λ Q ) by taking the linear characteristics expressed in Eq.(5) and Eq.(6) into account and get the linear characteristic of the th round as follows: λ P = λ P λ Q λ Q 4, p = / + q (7) Finally, by concentrating the above linear characteristics of rounds - together, we can have the following property: Property. If Eq.(5)-(7) hold, we can get the following 4-round linear characteristic of CLEFIA from round to round : λ P 9 = λ P = λ P λ T λ K K, p = / + q q q (8) Proof. If Eq.(5)-(7) are true, this property is obvious from the CLEFIA structure. Note. Similarly, if we arbitrarily choose a 4-round CLEFIA from round i(i ) to round i +, we can rewrite Eq.(5)-(7) as following Eq.(5 )-(7 ): λ P i+ = λ P i+ λ Q i+ λ Q (i+)+, p = / + q (5 ) λ Q i+ = λ Q i+ λ T i+ λ T (i+), p = / + q (6 ) λ P i+ = λ P i+4 λ Q i+4 λ Q (i+), p = / + q (7 ) and we can obtain the following 4-round linear characteristic λ P i = λ P i+ = λ P i+4 λ T i+ λ K K, p = / + q q q
9 4-Round Linear Approximations. Furthermore, we can derive the 4-round linear input mask from the above 4-round linear characteristic. Let (v, u) k be an approximation of a -bit invertible function F s ( i j, k), ( s, k 5). Eq.(5) suggests that the linear approximation of function F (, ) is (v, u) = (λ Q, λ P ) (9) Eq.(6) indicates that the linear approximation of function F (, ) is and Eq.(7) indicates (v, u) = (λ T, λ Q ) () (v, u) 4 = (λ Q, λ P ). () Denoting the input mask of the j th -bit input data in the i th round as ( i 6, j ), which is also the output mask of the ((j + IM j i )mod4) th output data in the (i ) th round, we can get IM = IM = λ P from Eq.(9), IM = IM = λ Q and IM = λ T from Eq.(), and IM = IM = λ P from Eq.(). In addition, we can also derive IM =, IM =, and IM =, and so on. As a result, we can derive some 8-bit input masks as follows: Property 4. If Property holds, the 8-bit input masks of 4-round CLEFIA are: In the th round: IM 9 = (IM 9, IM 9, IM 9, IM 9 ) = (λ P,,,). In the th round: IM = (IM, IM, IM, IM ) = (,,, λ P ). In the th round: IM = (IM, IM, IM, IM ) = (, λ Q, λ P, ). In the th round: IM = (IM, IM, IM, IM ) = (λ Q, λ P,, λ T ). In the 4 th round, IM = (IM, IM, IM, IM ) = (λ P,, λ T, ), where denotes an unknow -bit input mask. Note. If a 4-round CLEFIA, from round i(i ) to round i +, satisfies Eq.(5 )-(7 ), their 8-bit input masks are IM i = (λ P,,,), IM i+ = (,,, λ P ), IM i+ = (, λ Q, λ P, ), and IM i+ = (λ Q, λ P,, λ T ), respectively. Additionally, IM i+4 = (λ P,, λ T, ). 4. The -Round Impossible Differential-Linear Distinguisher Here, we first propose a new property, impossible differential-linear property, which is a concatenation of impossible differential characteristic and linear characteristic. To concatenate the above two parts together, the core technology resides in how to link the output differential 9 = (β,,, ) and the input masks IM 9 = (λ P,,,) of the th round together? From section 4., we have β = (y,,, ), y F 8 \{}. If choosing λ P = (, λ, λ, λ ),λ {,,...ff}, by Eq.(4), we can get the following equation with probability : λ P 9 = λ P (9 9 ) =. ()
10 As a result, we always have IM 9 9 = (,,, ) in the th round, which links the output differential 9 and the input masks IM 9 together. Property 5. For a pair of plaintexts (P, P ) whose difference is (, ϖ,, ) with ϖ = (,,, x), if we choose λ P = (, λ, λ, λ ),λ {,,...ff}, the 4-round linear characteristic can be concatenated to the 9-round impossible differential characteristic based on Eq.(8)and Eq.() to form the following -round impossible differential-linear distinguisher. λ P ( ) λ T ( ) = () Details of another -round impossible differential distinguisher are discussed in Appendix A. 4.4 Selection of λ In this subsection, we show how to select the values for λ P, λ Q and λ T to make the bias of the 4-round linear characteristic as high as possible. At first, we analyze the linear approximation of F in the th round as follows. λ P F (, ) = λ Q λ Q The four bytes output of the S-boxes are denoted as (u, v, z, w). Then the round function can be expressed as: F (, ) = M (S( )) = M (u, v, z, w) According to the definition in section, we can get the following equation: u (8 v) ( z) (a w) M (u, v, z, w) T = (8 u) v (a z) ( w) ( u) (a v) z (8 w) (a u) ( v) (8 z) w Next, based on the discussion in section 4. about how to choose value for λ P, the left part of the linear approximation can be computed as follows: λ P F (, ) = { λ λ λ } M (u, v, z, w) T = λ (v (8 v) z ( z) w (a w)) Note that the primitive polynomial used in the multiplication is z 8 + z 4 + z + z +, which can be denoted as a binary string. Hence, we can compute the parity of λ ( z) as follows: λ ( z) = λ (z << ), z 7 = λ (z << ), z 7 =
11 where z 7 denotes the left-most bit of z. By choosing an appropriate value of λ such that λ =, the above two cases can both be transformed into the following equation: λ ( z) = λ (z << ) = (λ >> ) z no matter what the left-most bit of z is. Similarly, when λ also satisfies (λ >> ) =, the parity of λ (8 v) and λ (a w) can be computed respectively as follows: λ (8 v) = λ (v << ) = (λ >> ) v λ (a w) = λ (( w) (8 w)) = ((λ >> ) (λ >> )) w Therefore, the left part of the linear approximation can be transformed into the following equation: λ P F (, ) = (λ (λ >> )) v (λ (λ >> )) z (λ (λ >> ) (λ >> )) w = {, λ (λ >> ), λ (λ >> ), λ (λ >> ) (λ >> )} (u, v, z, w) By utilizing the linear distribution table of each S-box, we use the following linear approximation for each S-box (ε denotes the bias of the linear approximation). (λ (λ >> )) v = λ ( ), p 4 = / + ε (λ (λ >> )) z = λ ( ), p 5 = / + ε (λ (λ >> ) (λ >> )) w = λ ( ), p 6 = / + ε where ( ) j stands for the j th byte of ( )( j ), and (u, v, z, w) denotes the corresponding output of each S-box respectively. As a result, we get the following linear approximation for the function F in the th round. λ P F ( ) = {, λ, λ, λ } ( ), p = / + ε ε ε Note that we choose λ Q as the form of λ Q = {, λ, λ, λ }, such that we can make use of the property of the linear transformation as described in section 4.. Similar analysis can be applied to the linear approximation used in the th and th round. By running through all the possible values of λ P, λ Q and λ T that satisfies the above conditions, we can choose the following three linear approximations which achieve the highest biases. {, f6, f6, f6} F ( ) = {, eb, eb, eb} ( ) whose probability is p /.6. {, eb, eb, eb} F ( ) = {, 49, 49, 49} ( )
12 whose probability is p /.8. {, f6, f6, f6} F ( 4) = {, eb, eb, eb} ( 4) whose probability is p /.9. Plugging the corresponding values of λ P, λ Q and λ T into Eq.(5)-(8), we can get the following -round linear characteristic of CLEFIA. {, f6, f6, f6} = {, f6, f6, f6} {, 49, 49, 49} λ K K (4) whose probability is p /.6. Finally, the decrypting stage of the -round impossible differential-linear distinguisher can be expressed as: {, f6, f6, f6} ( ) {, 49, 49, 49} ( ) = (5) The total probability of the -round impossible differential-linear distinguisher can be computed as described in section, which is about / The Impossible Differential-Linear Attack on 6-Round CLEFIA-8 In this section, we explain our impossible differential-linear attack on 6-round CLEFIA-8 with whitening keys. In this attack, we set the above -round impossible differential-linear distinguisher as rounds -5, and extend two rounds backward and one round forward as shown in Fig.. The expression of the decrypting stage of the -round impossible differentiallinear distinguisher should be transformed to the following form: {, f6, f6, f6} (5 5 ) {, 49, 49, 49} ( 4 ) =, (6) and the total probability of the -round impossible differential-linear distinguisher is around / 6.6, theoretically. Based on the analysis in section, we can know that approximately ( 6.6 ) 6. correct pairs are needed to mount the key recovery attack. In the following, we first introduce how to obtain the plaintext pairs, then describe the attack procedure in detail as illustrated in Fig.. In the end, we estimate the data complexity and time complexity of our attack. 5. Chosen Plaintext We choose a structure composed of 7 plaintexts that is defined as follows: S P = (,,, ) j, j 7, If we choose plaintext pairs (P, P ) where P = (,,, ) and P = (,,, ) = ( δ, γ,, ϖ), whose difference takes the form P = (δ, γ,, ϖ) with ϖ = (,,, x), δ = (aw, w, 8w, w), w = M (S(x )) M (S(x x)) (x F 8), and γ = (v, v, v, v ). We can get = (, ϖ,, ). For the computations of δ and γ, please refer to Fig.. Thus, we have 55 possible values of both ϖ and δ, possible values of γ, and one structure can produce about 9 distinct plaintext pairs. 4
13 F WK F WK 8 (,,, x), x F \ {} * F (, ) F (, ) * F (, ) F (, ) F F 4 5 F F 4 F F -round impossible differentiallinear distinguisher F 6 WK 6 F 6 WK ( F (, )) ( WK ) (,*,*,*) Fig.. 6-round impossible differential-linear attack 5. The Impossible Differential-Linear Attack on 6-Round CLEFIA-8 with Whitening Keys In the following, we will discuss our impossible differential-linear attack on 6- round CLEFIA-8 with whitening keys in detail. In Fig., plaintext P =, ciphertext C = 6. Step. Take 5.7 structures defined above, i.e =.7 plaintexts, so = 69.7 plaintext pairs. Encrypt.7 distinct plaintexts for 6 rounds. Insert all ciphertexts into a table T indexed by 5, ( 5 = 6 ). Step. Let -bit subkey and 4-bit subkey ( 9 W K ) be indexed by N,..., N 56 and reset N i ( i 56 ).
14 Create a table T of F (5, ), indexed by all values of and values of 5. For every guess of (-bit), look up the value of F (5, ) in T for each 5, and obtain the value of 5 W K = 6 F (5, ) for each 6. Select only the pairs whose difference are equal in the first byte of (5 W K ), the expected number of such pairs is = 6.7. Then for every guess of the last three bytes of subkey 9 W K (4- bit), we can partially compute the value of λ Q 4 = λ Q (F (5 W K, 9 W K )6 ) for each 6, and the value of λ P 5 λ Q 4. If the pair satisfies Eq.(6), increment the corresponding N i by. After running all 56 guesses, we output the minimum value of N i as the 56-bit correct subkeys. Based on the analysis in section and [,5], we know that approximately 8 ( 6.6 ).5 plaintext pairs are needed for the -round impossible linear distinguisher, we expect to have 8. pairs left with this condition. Step. We eliminate those wrong 4-bit values for the first two rounds subkey (, ) (The first three zero bytes of ϖ only lead to the last byte of that affects F, so -bit and 8-bit ) by showing that the impossible property holds if these subkeys are used. To do so, we use a precomputation stage. At this precomputation stage, we consider all pairs whose difference (,,, ) = (, ϖ,, ) after the first two rounds encryption. To achieve this, we need to perform two step, the first step makes sure that =, and the second step enables =. ). If =, there are possible values for. We perform A = F ( W K ) and create a hash table H containing one of the outputs of A and the OR of the two outputs ( ). There are possible values for ( ), and on average one value of corresponds to each value of ( ). Now for each of the 8. remaining pairs we compute ( ), and use the table H to fetch one possibility of that corresponds to the computed ( ). The process identifies roughly one wrong value for the subkey by ORing the plaintext and A. The probability of a wrong -bit value for is ( ). After analyzing all 8. pairs, we expect only ( ) wrong values of remaining. ). In round, if =, there are possible values for. We perform A = F ( ) = F ( ) and create a hash table H containing one of the outputs of A and OR of the two outputs ( ). There are possible values for ( ) and 8 possible values for. Now for each of the 8. remaining pairs we compute ( ), and use the table H to fetch one possibility of that corresponds to the computed ( ). The process identifies roughly one wrong value for the subkey by ORing the plaintext and A. The probability of a wrong 8-bit value for is ( ). After analyzing all 8. pairs, we expect only 8 ( ) wrong values of.
15 Therefore, wrong values of the 4-bit of (, ) can be established unless the initial guess of the -bit value of or 4-bit value of ( 9 W K ) is correct. It is expected that we can eliminate the whole 4-bit value of and in this step, since the wrong values of (,, ( 9 W K ), ) remains with a small probability of max{ = 9, = 4 }. Hence if there remains a value of (, ), we can assume that the guessed 56-bit values for ( 9 W K ) and are correct. Our attack can recover 96-bit subkeys. Complexity Analysis. According to the above analysis, a structure has 7 plaintexts, we need about 5.7 structures, so the data complexity of our attack is about =.7. Step need.7 encrypting operations, Step requires ( ) 97 F operations, which is equal to 96 one round operation. The required time for memory access in step is less than ( ) 8. + ( 8 ) 8.. F operations, i.e.. operations one round. Therefore, the total time complexity of our attack can be estimate as about.7 + ( ) / / = 9.7 bytes of memory are needed to store the table T, 96 / = 9 bytes of memory are needed to store the list of deleted key values (, 9,, ), = bytes of memory are needed to store the hash table (H, H ), and 64 / = 6 bytes of memory are needed to store table T. Our attack can recover 96-bit subkeys (,, 9 W K, ). Note. For another -round impossible differential-linear distinguisher and another 6-round attack to CLEFIA-8, please refer to Appendix A and Appendix B, respectively. For attacks to 5-round CLEFIA-8, please refer to Appendix C. Our attack is also effective to CLEFIA-9 and CLEFIA Conclusion In this paper, we present a new attack, impossible differential-linear attack, and achieve a result of 6-round CLEFIA-8 with.7 CP, and time complexity is also.7. The comparison of cryptanalytic results with CLEFIA is illustrated in Table, which shows that our attack is more efficient than the present results. The attack is also effective to 5-round CLEFIA-8, given in Appendix C. References. E. Biham, O. Dunkelman, N. Keller. Enhancing Differential-Linear Cryptanalysis, Advances in Cryptology, Proceedings of ASIACRYPT, Lecture Notes in Computer Science 5, pp , Springer, (). A. Bogdanov, V. Rijmen. Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. In: S. K. Langford, M. E. Hellman. Differential-Linear Cryptanalysis, Advances in Cryptology. In:Proceedings of CRYPTO94. LNCS, vol. 89, pp Springer, Heidelberg (994)
16 Table. Comparison of Cryptanalysis Results of CLEFIA-8 Reference Rounds Recover Key Data Complexity Time Complexity [6,7] -bit.7 [8] 7-bit [9] 8-bit this paper 6 96-bit.7.7 this paper 6 4-bit 4.5 this paper 5 64-bit this paper 5 64-bit C. Langford. Improbable Differential Attack-Cryptanalysis of Reduced Round CLEFIA, Advances in Cryptology. In:Proceedings of INDOCRYPT. LNCS, vol. 6498, pp Springer, Heidelberg () 5. M. Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology. In:Proceedings of EUROCRYPT9. LNCS, vol. 765, pp Spinger, Heidelberg (994) 6. T. Shirai, K. Shibutani, T. Akishita, S. Moriai, T. Iwata. The 8-bit Blockcipher CLEFIA. In:Proceedings of Fast Software Encryption 7, LNCS, vol. 459, pp (7) 7. Sony Corporation. The 8-bit blockcipher CLEFIA: Security and performance evaluations. Revision., On-Line document, 7.June (7), 8. Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Saito, T. Suzaki and H. Kubo. Impossible Differential Cryptanalysis of CLEFIA. In:Fast Software Encryption-FSE 8, LNCS, vol. 586, pp Springer, Verlag (8). 9. W. Zhang, J. Han. Impossible Differential Analysis of Reduced Round CLEFIA. In:Beijing, China. Proc of Inscrypt 8. pp (8)
17 Appendix A. Another -round impossible differential-linear distinguisher Another -round impossible differential-linear distinguisher concatenates an impossible differential (,,, ϖ) (,,, β) [] with a 4-round linear characteristic. For details please refer to Fig.4. ϖ F F F F β 9-round impossible differential characteristic 9 β F 9 9 F = 9 λ Q λ P F F ( = λ ( λ = F, ), P F, ) = λq Q 4-round linear characteristic λ P λ T λ Q F F ( = λ ( λ = F, ), Q F, ) = λt T λ T λ Q λ P 4 5 F F ( = λ ( λ = F, 5), P F, 5 ) = λq Q 5 λ Q λ P λ P ' 9 = λp = λp λt λk K Fig. 4. -round impossible differential-linear distinguisher
18 Appendix B. Another Attack on 6-round CLEFIA-8 Another 6-round attack on CLEFIA-8 is illustrated in Fig.5 with the - round impossible differential-linear distinguisher in section 4, and three rounds extension on plaintext side. Its main ideas is: Choose a structure composed of 4 plaintexts, whose corresponding plaintext pairs are of the form P = (ϖ, ξ, γ, θ). Encrypt all 8 plaintext pairs, select only the pairs whose ciphertexts are equal in the first byte of 6. According to section 5., we can recover 4-bit subkeys. The data complexity is about [ 4 8 ( 6.6) / ( 8 8 8)] 4.5. The time complexity is [( ) / +(( ) 7 + ( ) 7 + ( 8 ) 7 ) / ] / 6
19 F WK F F F 8 (,,, x), x F \ {} * WK F (, 5 ) F (, 5 ) * F (, ) F (, ) F (, ) F (, ) * F (, ) F (, ) * 5 F 4 F 7 F 6 F F WK F -round impossible differentiallinear distinguisher WK (,*,*,*) Fig round impossible differential-linear attack
20 Appendix C. Attacks on 5-round CLEFIA-8 The attacks to 5-round CLEFIA-8 below are all with whitening keys. The details of the attack can be divided into two cases. The first extension is one round on plaintext side, and one round on ciphertext side as illustrated in Fig.6. We can choose a structure composed of 4 plaintexts, whose plaintext differences is of the form P = (,, ϖ, δ). Obviously, one structure can produce about 55 different plaintext pairs. Similar to the section 5., we can recover 64-bit subkey composed of (8bit), 7 (4bit), and 8 (bit), with impossible differential-linear attack. The data complexity is The time complexity is 4 [8 ( 6.6 ) / ( )] 4.5 [( ) / + (( 8 ) 8 ) / ] / 5 9. The second extension is two rounds on plaintext side, illustrated in Fig. 7. We can choose a structure composed of 7 plaintexts, whose plaintext differences is of the form P = (δ, γ,, ϖ). Obviously, one structure can produce about 9 distinct plaintext pairs. Similar to section 5., we can recover 64-bit subkey, that is (bit), (8bit), and 9(4bit), with impossible differential-linear attack. The data complexity is 7 [8 ( 6.6 ) / ( )] 4.5 The time complexity is [( ) / +(( ) 4 + ( 8 ) 4 ) / ] / 5 99.
21 F WK ϖ F δ WK 8 ϖ = (,,, x), x F \ {} * δ = F (, ) F ( ϖ, ) ϖ F F 6 7 F F -round impossible differentiallinear distinguisher F WK F WK ( F (, )) = ( WK ) = (,*,*,*) Fig round impossible differential-linear attack
22 F WK F 8 (,,, x), x F \ {} * WK F (, ) F (, ) * F (, ) F (, ) F F 4 5 F F 4 F WK F -round impossible differentiallinear distinguisher WK (,*,*,*) Fig round impossible differential-linear attack
23 Appendix D. Round Key Relation According to the description in section, we can get the relationship between generated round keys and related data as follows: L CON 4 CON 5 CON 6 CON Σ(L) K CON 8 CON 9 CON CON 8 9 Σ (L) CON CON CON 4 CON Σ (L)K CON 6 CON 7 CON 8 CON Σ 4 (L) CON 4 CON 4 CON 4 CON 4 Σ 5 (L)K CON 44 CON 45 CON 46 CON Σ 8 (L) CON 56 CON 57 CON 58 CON 59 Based on the properties proved in [5], we get the following key relations: C = [56 6] [ ] [7 7] C = [7 95] [96 99] [ 6] 4 C = [ 4] [8 ] [ 55] 5 C 4 = [ ] [5 7] [64 7] where C = CON 56 (CON 5 [56 6] CON 7 [ ] CON 7 [7 7] ) C = CON 57 (CON 6 [7 95] CON 7 [96 99] CON 7 [ 6] ) C = CON 58 (CON 4 [ 4] CON 4 [8 ] CON 5 [ 55] ) C 4 = CON 59 (CON 4 [ ] CON 4 [5 7] CON 6 [64 7] ) Thus we get the following properties from the above derivations: Property 6.. If bits are known, we can get 4 bits [7 95], and 8 bits [96 99] [ 6]. Property 7.. If bits 4 are known, then we can get 8 bits [ 4] [8 ], and 4 bits [ 55].
Impossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationImpossible Boomerang Attack for Block Cipher Structures
Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationLow Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128
Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128 Sareh Emami 2, San Ling 1, Ivica Nikolić 1, Josef Pieprzyk 3 and Huaxiong Wang 1 1 Nanyang Technological University, Singapore
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationThe Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA
he Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA Yasutaka Igarashi, Seiji Fukushima, and omohiro Hachino Kagoshima University, Kagoshima, Japan Email: {igarashi, fukushima,
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationDifferential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationThe 128-Bit Blockcipher CLEFIA (Extended Abstract)
The 2-Bit Blockcipher CLEFIA (Extended Abstract) Taizo Shirai, Kyoji Shibutani,ToruAkishita, Shiho Moriai, and Tetsu Iwata 2 Sony Corporation -7- Konan, Minato-ku, Tokyo -75, Japan {taizo.shirai,kyoji.shibutani,toru.akishita,shiho.moriai}@jp.sony.com
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationRelated-Key Rectangle Attack on 42-Round SHACAL-2
Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationImproving the Time Complexity of Matsui s Linear Cryptanalysis
Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationOn Feistel Structures Using a Diffusion Switching Mechanism
On Feistel Structures Using a Diffusion Switching Mechanism Taizo Shirai and Kyoji Shibutani Sony Corporation, Tokyo, Japan {Taizo.Shirai, Kyoji.Shibutani}@jp.sony.com Abstract. We study a recently proposed
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationNew Insights on AES-Like SPN Ciphers
New Insights on AES-Like SPN Ciphers Bing Sun 1,2,3, Meicheng Liu 3,4, Jian Guo 3, Longjiang Qu 1, Vincent Rijmen 5 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China,
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationConcurrent Error Detection in S-boxes 1
International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationCryptanalysis of Hummingbird-2
Cryptanalysis of Hummingbird-2 Kai Zhang, Lin Ding and Jie Guan (Zhengzhou Information Science and Technology Institute, Zhengzhou 450000, China) Abstract: Hummingbird is a lightweight encryption and message
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More information