Li Shenhua,Zhang Haina,Wang Xiaoyun

DOI: https://doi.org/10.1016/s1007-0214(09)70032-x

2009-01-01

Abstract:ARIA is a new block cipher designed as the block cipher standard of South Korea.The current version is 1.0,which is an improvement of version 0.8 with the security using four kinds of S-boxes instead of two and an additional two rounds of encryptions.These improvements are designed to prevent the dedicated linear attack on ARIA version 0.8 by the four different kinds of S-boxes.This paper presents 12 linear approximations of a single round function that succeeds in attacking ARIA version 1.0 on 7,9,or 9 rounds for key sizes of 128,192,or 256 bits using any of these approximations.The corresponding data complexities are 2 87 ,2 119 ,and 2 119 ,the counting complexities are 1.5×2 88 ,2 119 ,and 2 119 ,the memory required for each attack on all three key versions is 2 64 bits and there are 12 weak key classes.These results are similar to the dedicated linear attack on ARIA version 0.8 and show that the improved version can also not effectively resist this type of attack.

Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-319-27659-5_11

2015-01-01

Abstract:ARIA is a 128-bit SPN block cipher selected as a Korean standard. This paper processes meet-in-the-middle attacks on reduced-round ARIA. Some 4-round and 5-round significant distinguishing properties which involve much fewer bytes parameters are proposed. Based on these better distinguishers, attacks on 7-round ARIA-192/256 and 8-round ARIA-256 are mounted with much lower complexities than previous meet-in-the-middle attacks. Furthermore, we present 7-round attack on ARIA-128 and 9-round attack on ARIA-256, which are both the first results for ARIA in terms of the meet-in-the-middle attack.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Meichun Jia Xiaoni Du Yanan Zheng Xiangyu Wang a College of Mathematics and Statistics,Northwest Normal University,Lanzhou,Gansu,Chinab Key Laboratory of Cryptography and Data Analytics,Northwest Normal University,Lanzhou,Gansu,Chinac Gansu Provincial Research Center for Basic Disciplines of Mathematics and Statistics,Northwest Normal University,Lanzhou,Gansu,ChinaMeichun Jia received her BSc from Chongqing Technology and Business University,China,in 2021. She is currently pursuing a Master's degree from Northwest Normal University,China. Her research interests include block ciphers and information security.Xiaoni Du is a professor at the College of Mathematics and Statistics,Northwest Normal University,China. She received her PhD in Cryptography from Xidian University. Her current research interests include information security,cryptography,and coding.Yanan Zheng received her BSc from Northwest Normal University,China,in 2021. She is currently pursuing a Master's degree from Northwest Normal University,China. Her research interests include block ciphers and information security.Xiangyu Wang received her BSc from Henan Polytechnic University,China,in 2020. She is currently pursuing a Master's degree from Northwest Normal University,China. Her research interests include block ciphers and information security.

DOI: https://doi.org/10.1080/01611194.2024.2401402

2024-10-03

Cryptologia

Abstract:uBlock and RAIN are both SPN structure lightweight block ciphers with sufficient security against traditional attacks. This article mainly focuses on the zero-correlation linear cryptanalysis of uBlock-128/128 and RAIN-64 without considering the whitening key for the first time. On the one hand, combining the linear mask propagation rules of S -box with matrix method, a large number of 4-round zero-correlation linear approximations for uBlock-128/128 are obtained. Therefore, a 6-round key recovery attack is carried out with partial-compression technique, which can recover 48-bit subkeys with data complexity 2126.41 known plaintexts, time complexity 2122.82 times of 6-round of algorithm encryptions, and memory complexity 248 nibbles. On the other hand, a similar method is used on RAIN-64, thus a 10-round attack is performed, which recovers 64-bit subkeys with data complexity 261.95 known plaintexts, time complexity 274.26 times of 10-round algorithm encryptions, and memory complexity 264 nibbles. The results show that both uBlock and RAIN are safe enough to resist zero-correlation linear cryptanalysis.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

Meiqin Wang,Xiaoyun Wang,Changhui Hu

DOI: https://doi.org/10.1007/978-3-642-04159-4_28

2008-01-01

Abstract:This paper presents a linear cryptanalysis for reduced round variants of CAST-128 and CAST-256 block ciphers. Compared with the linear relation of round function with the bias 2驴 17 by J. Nakahara et al., we found the more heavily biased linear approximations for 3 round functions and the highest one is 2驴 12.91. We can mount the known-plaintext attack on 6-round CAST-128 and the ciphertext-only attack on 4-round CAST-128. Moreover the known-plaintext attack on 24-round CAST-256 with key size 192 and 256 bits has been given, and the ciphertext-only attack on 21-round CAST-256 with key size 192 and 256 bits can be performed. At the same time, we also present the attack on 18-round CAST-256 with key size 128 bits.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Wentan Yi,Shaozhen Chen

DOI: https://doi.org/10.48550/arXiv.1405.6483

2014-05-26

Cryptography and Security

Abstract:Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.

Xu, Zhichao,Xu, Hong,Tan, Lin,Qi, Wenfeng

DOI: https://doi.org/10.1007/s12095-024-00708-z

2024-04-02

Cryptography and Communications

Abstract:Differential-linear cryptanalysis is an efficient cryptanalysis method to attack ARX ciphers, which have been used to present the best attacks on many ARX primitives such as Chaskey and Chacha. In this paper, we present the differential-linear cryptanalysis of another ARX-based block cipher SPARX-64/128. We first construct multiple 6-round differential-linear distinguishers based on the structure of SPARX-64/128, and then extend them into 14-round differential-linear distinguishers by adding a 7-round differential characteristic before and a one-round linear approximation after the distinguishers. Then we introduce a new linear approximation of modular addition, and use it to extend one more round after the 14-round differential-linear distinguishers. With the 15-round differential-linear distinguishers, we present a differential-linear attack on 18-round SPARX-64/128.

computer science, theory & methods,mathematics, applied

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.

Haibo Zhou,Zheng Li,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxz152

2020-01-01

The Computer Journal

Abstract:A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of KECCAK keyed modes. In this paper, we find a new property of Li et al.'s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round KETJE Jr, 6-round XOODOO-AE and XOODYAK, where KETJE Jr is among the third round CAESAR competition candidates and XOODYAK is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on XOODYAK represent the first third-party cryptanalysis for XOODYAK.

Xiaoyang Dong,Yanzhao Shen

2016-01-01

Abstract:Midori is a hardware-oriented lightweight block cipher designed by Banik et al. in ASIACRYPT 2015. It has two versions according to the state sizes, i.e. Midori64 and Midori128. In this paper, we explore the security of Midori64 against truncated differential and related-key differential attacks. By studying the compact representation of Midori64, we get the branching distribution properties of almost MDS matrix used by Midori64. By applying an automatic truncated differential search algorithm developed by Moriai et al. in SAC 1999, we get 3137 4-round truncated differentials of Midori64. In addition, we find some 2-round iterative differential patterns for Midori64. By searching the differential characteristics matching the differential pattern, we find some iterative 2-round differentials with probability of 2−24, based on these differentials, a 11-round related-key differential characteristic is constructed. Then we mount a 14-round(out of 16 full rounds) related-key differential attack on Midori64. As far as we know, this is the first related-key differential attack on Midori64.

Isaac A. Canales-Martínez,Igor Semaev

DOI: https://doi.org/10.1007/s10623-024-01444-4

IF: 1.4

2024-06-20

Designs Codes and Cryptography

Abstract:Cryptanalysis of modern symmetric ciphers may be done by using linear equation systems with multiple right hand sides, which describe the encryption process. The tool was introduced by Raddum and Semaev (Des Codes Cryptogr 49(1):147–160, 2008) where several solving methods were developed. In this work, the probabilities are ascribed to the right hand sides and a statistical attack is then applied. The new approach is a multivariate generalisation of the correlation attack by Siegenthaler (IEEE Trans Comput C 49(1):81–85, 1985). A fast version of the attack is provided too. It may be viewed as an extension of the fast correlation attack in Meier and Staffelbach (J Cryptol 1(3):159–176, 1989), based on exploiting so called parity-checks for linear recurrences. Parity-checks are a particular case of the relations that we introduce in the present work. The notion of a relation is irrelevant to linear recurrences. We show how to apply the method to some LFSR-based stream ciphers including those from the Grain family. The new method generally requires a lower number of the keystream bits to recover the initial states than other techniques reported in the literature.

mathematics, applied,computer science, theory & methods

Yin Lv,Danping Shi,Lei Hu,Yi Guo

DOI: https://doi.org/10.1007/s10623-024-01458-y

IF: 1.4

2024-07-26

Designs Codes and Cryptography

Abstract:Linear cryptanalysis is one of the most classical cryptanalysis methods for block ciphers. Some critical techniques of the key-recovery phase are developed for enhancing linear cryptanalysis. Collard et al. improved the time complexity for last-round key-recovery attacks by using FWT. A generalized key-recovery algorithm for an arbitrary number of rounds with an associated time complexity formula is further provided by Flórez-Gutiérrez and Naya-Plasencia based on FWT in Eurocrypt 2020. However, the previous generalized algorithms are mainly applied to block ciphers with SPN structures, where the round-keys in the first and last round XORed to the state can be easily defined as outer keys . In Asiacrypt 2021, Leurent et al. applied the algorithm by Flórez-Gutiérrez et al. to Feistel structure ciphers. However, for other structures, such as NLFSR-based, the outer keys can not be directly deduced to utilize the previous algorithms. This paper extends the algorithm by Flórez-Gutiérrez et al. for more complicated structures, including but not limited to NLFSR-based, Feistel, ARX, and SPN. We also use the dependency relationships between ciphertext, plaintext and key information bits to eliminate the redundancy calculation and the improve analysis phase. We apply the algorithm with the improved analysis phase to KATAN (NLFSR-based) and SPARX (ARX). We obtain significantly improved results. The linear results we find for SPARX-128/128 beat other cryptanalytic techniques, becoming the best key recovery attacks on this cipher. The previous best linear attacks on KATAN32, KATAN48 and KATAN64 are improved by 9, 4, and 14 rounds, respectively.

mathematics, applied,computer science, theory & methods

Zheng Li,Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2017.i1.175-202

2017-01-01

IACR Transactions on Symmetric Cryptology

Abstract:This paper evaluates the secure level of authenticated encryption ASCON against cube-like method. ASCON submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced ASCON, whose structure is similar to Keccak keyed modes. However, for ASCON the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round ASCON, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round.In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced ASCON, and translate the previous theoretic 6-round attack with 2(66) time complexity to a practical one with 2(40) time complexity. Moreover, we propose the first 7-round key-recovery attack on ASCON. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2(103.9). In addition, for a weak-key subset, whose size is 2(117), the attack is more efficient and costs only 2(77) time complexity. Those attacks do not threaten the full round (12 rounds) ASCON.