Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9468-y

2018-08-31

Science China Information Sciences

Abstract:Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover’s and Simon’s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover’s and Simon’s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require 20.25nr−0.75n quantum queries to break an r-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of 20.75n. When compared with the best classical attacks, i.e., Dinur et al.’s attacks at CRYPTO 2015, the time complexity is reduced by a factor of 20.5n without incurring any memory cost.

computer science, information systems,engineering, electrical & electronic

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Ying Xu,Xiaoni Du,Meichun Jia,Xiangyu Wang,Jian Zou

DOI: https://doi.org/10.1007/s11128-023-04135-6

IF: 1.965

2023-10-16

Quantum Information Processing

Abstract:Generalized Feistel networks are important components of symmetric ciphers, and detailed security evaluations in the quantum setting remain to be explored. In this paper, based on the strong–weak separability of certain branch output function, we present polynomial-time quantum distinguishers for 4F-function and 2F-function structures in quantum chosen-plaintext attack setting for the first time, and then quantum key-recovery attacks are achieved through Grover-meet-Simon algorithm, respectively. Under the condition of the semi-strong separability, firstly, we give a quantum distinguisher on 8-round 4F-function structure, from which we carry out a 12-round quantum key-recovery attack to guess 10 n -bit subkey, whose time complexities gain a factor of . When attacking rounds, we can recover -bit subkey in time . Secondly, we show a quantum distinguisher on 5-round 2F-function structure, and a 7-round quantum key-recovery attack is performed on it, which can recover 3 n -bit subkey in time . When , -bit subkey can be recovered with time complexities by a factor of . Furthermore, based on the weak separability, a 6-round quantum distinguisher for 2F-function structure is constructed, and an 8-round quantum key-recovery attack is achieved, and the time complexity is when . The results show that the time complexity of each attack scheme we proposed is much better than that of Grover's brute force search.

physics, multidisciplinary,quantum science & technology, mathematical

Xiaoyang Dong,Zheng Li,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9436-7

2019-01-02

Science China Information Sciences

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For d-branch Type-1 GFS (CAST256-like Feistel structure), we introduce (2d - 1)-round quantum distinguishers with polynomial time. For 2d-branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give (2d + 1)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round 4-branch Type-1 GFS and 5-round 4-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon’s and Grover’s algorithms recently proposed by Leander and May. We denote n as the bit length of a branch. For (d2-d+2)-round Type-1 GFS with d branches, the time complexity is 2(12d2−32d+2)⋅n2$${2^{\left( {\frac{1}{2}{d^2} - \frac{3}{2}d + 2} \right) \cdot \frac{n}{2}}}$$, which is better than the quantum brute force search (Grover search) by a factor 2(14d2+14d)n$${2^{\left( {\frac{1}{4}{d^2} + \frac{1}{4}d} \right)n}}$$. For 4d-round Type-2 GFS with 2d branches, the time complexity is 2d2n2$${2^{\frac{{{d^2}n}}{2}}}$$, which is better than the quantum brute force search by a factor 23d2n2$${2^{\frac{{3{d^2}n}}{2}}}$$.

computer science, information systems,engineering, electrical & electronic

Zou, Jian

DOI: https://doi.org/10.1007/s11128-024-04349-2

IF: 1.965

2024-04-03

Quantum Information Processing

Abstract:In this paper, we present some new key-recovery attacks on Misty L-KF, Misty R-KF, and generalized Feistel schemes. Firstly, we propose a new 5-round distinguisher on Misty L-KF structure. Based on our new distinguisher attack, we propose a new 6-round Demiric–Selçuk meet-in-the-middle attack (DS-MITM attack) against Misty L-KF structure. Secondly, we extend our classical DS-MITM attack to a new quantum DS-MITM attack on Misty L-KF structure by using the quantum claw finding algorithm. In addition, we apply the above method to attack Misty R-KF and generalized Feistel schemes. To sum up, we construct our classical key-recovery attacks on the 6-round Misty L-KF structure and Misty R-KF structure with time and memory cost. By using a quantum computer, our new quantum key-recovery attacks on the 6-round Misty L-KF structures and Misty R-KF structures can be constructed with time and memory cost. Furthermore, we can construct our new quantum -round key-recovery attacks on the d -branch contracting Feistels with time and memory cost. In the end, we can construct our new quantum -round and -round key-recovery attacks on the two types of d -branch expanding Feistels with time and memory cost.

physics, multidisciplinary,quantum science & technology, mathematical

Bo Yu,Tairong Shi,Xiaoyang Dong,Xuan Shen,Yiyuan Luo,Bing Sun

DOI: https://doi.org/10.1007/978-981-97-0945-8_19

2024-01-01

Abstract:Simon's algorithm has shown a threat to block ciphers in the quantum setting, especially accelerating attacks with superposition queries. Sometimes it is difficult for attackers to make superposition queries, while an easier way is to use classical data then process them on quantum computers. At ASIACRYPT 2019, Bonnetain et al. proposed the offline Simon's algorithm. But there is a gap between the classical queries and a quantum database in their work. In this paper, we propose an algorithm involving polynomial qubits that can transform a classical database into a quantum superposition state without using QRAM. What's more, we analyze the influence of two approaches called pre- and post-distinguisher methods for Simon's algorithm attack. Then we run a quantum key recovery attack on Feistel structure in the Q1 model. For attacking r-round Feistel structure with n-bit block size and n/2-bit subkey, the time complexity of our attack is O(l center dot 2(n/2+2) + 2((r-3)n/4)) (where l is a constant), and the classical data complexity is always O(2(n/2+1)), which is much better than the classical attacks especially for r > 5.

Bin-Bin Cai,Yusen Wu,Jing Dong,Su-Juan Qin,Fei Gao,Qiao-Yan Wen

DOI: https://doi.org/10.1093/comjnl/bxab216

2022-02-01

The Computer Journal

Abstract:Abstract By introducing the BHT algorithm into the slide attack on 1K-AES and the related-key attack on PRINCE, we present the corresponding quantum attacks in this paper. In the proposed quantum attacks, we generalize the BHT algorithm to the situation where the number of marked items is unknown ahead of time. Moreover, we give an implementation scheme of classifier oracle based on Quantum Phase Estimation algorithm in presented quantum attacks. The complexity analysis shows that the query complexity, time complexity and memory complexity of the presented quantum attacks are all $\mathcal{O}(2^{n/3})$ when the success probability is about $63\%$, where $n$ is the block size. Compared with the corresponding classical attacks, the proposed quantum attacks can achieve subquadratic speed-up under the same success probability no matter on query complexity, time complexity or memory complexity. Furthermore, the query complexity of the proposed quantum slide attack on 1K-AES is less than Grover search on 1K-AES by a factor of $2^{n/6}.$ When compared with the Grover search on PRINCE, the query complexity of the presented quantum attack on PRINCE is reduced from $\mathcal{O}(2^{n})$ to $\mathcal{O}(2^{n/2}).$ When compared with the combination of Grover and Simon’s algorithms on PRINCE, the query complexity of our quantum attack on PRINCE is reduced from $\mathcal{O}(n\cdot 2^{n/2})$ to $\mathcal{O}(2^{n/2}).$ Besides, the proposed quantum slide attack on 1K-AES indicates that the quantum slide attack could also be applied on Substitution-Permutation Network construction, apart from the iterated Even-Mansour cipher and Feistel constructions.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Runsong Wang,Xuelian Li,Juntao Gao,Hui Li,Baocang Wang

DOI: https://doi.org/10.1007/s11128-023-03907-4

IF: 1.965

2023-01-01

Quantum Information Processing

Abstract:In this paper, we aim to present a quantum setting-oriented preimage attack against 4-round Keccak -224. An important technique we called allocating rotational cryptanalysis takes the preimage attack into the situation of 2-block preimage recovery. With the conditions on the middle state proposed by Li et al., we use the generic quantum preimage attack to deal with the finding of the first preimage block. By using the newly explored propagation of rotational relations, we significantly increase the number of eigenpoints at the end of 4-round modified Keccak - f from 0 to 32 and therefore improve the accuracy of determining the rotational number for a certain rotational counterpart in the quantum setting by more than 10 orders of magnitude. On the basis of the above, we design an efficient unitary oracle operator with only twice calling of the 4-round modified Keccak - f , which costs half of the previous results, to mark a rotational counterpart of the second preimage block in order that the second preimage block can be found indirectly from a quickly generated specified search space. As a result of attacking the 4-round Keccak -224: In the classical setting, the preimage attack with the complexity decreased to 2^218 is better than the result based on the pioneered rotational cryptanalysis. In the quantum setting, the amplitude amplification-driven preimage attack with a complexity of 2^110 is by far the best dedicated quantum preimage attack. Additionally, the SKW algorithm is applied to the dedicated quantum preimage attack against the 4-round Keccak -224 for the first time, which is exponentially easier to implement in the quantum circuit than the former, with a complexity of 2^111 .

Chen Bai,Mehdi Esmaili,Atul Mantri

2024-12-06

Abstract:We study the security of key-alternating ciphers (KAC), a generalization of Even-Mansour ciphers over multiple rounds, which serve as abstractions for many block cipher constructions, particularly AES. While the classical security of KAC has been extensively studied, little is known about its security against quantum adversaries. In this paper, we introduce the first nontrivial quantum key-recovery attack on multi-round KAC in a model where the adversary has quantum access to only one of the public permutations. Our attack applies to any $t$-round KAC, achieving quantum query complexity of $O(2^{\frac{t(t+1)n}{(t+1)^2+1}})$, where $n$ is the size of each individual key, in a realistic quantum threat model, compared to the classical bound of $O(2^{\frac{tn}{(t+1)}})$ queries given by Bogdanev et al. (EUROCRYPT 2012). Our quantum attack leverages a novel approach based on quantum walk algorithms. Additionally, using the quantum hybrid method in our new threat model, we extend the Even-Mansour lower bound of $\Omega(2^{\frac{n}{3}})$ given by Alagic et al. (EUROCRYPT 2022) to $\Omega(2^{\frac{(t-1)n}{t}})$ for the $t$-round KAC (for $t \geq 2$).

Quantum Physics,Cryptography and Security

Joseph Jaeger,Fang Song,Stefano Tessaro

DOI: https://doi.org/10.48550/arXiv.2105.01242

2021-10-23

Abstract:Should quantum computers become available, they will reduce the effective key length of basic secret-key primitives, such as blockciphers. To address this we will either need to use blockciphers which inherently have longer keys or use key-length extension techniques which employ a blockcipher to construct a more secure blockcipher that uses longer keys. We consider the latter approach and revisit the FX and double encryption constructions. Classically, FX is known to be secure, while double encryption is no more secure than single encryption due to a meet-in-the-middle attack. We provide positive results, with concrete and tight bounds, for both of these constructions against quantum attackers in ideal models. For FX, we consider a partially-quantum model, where the attacker has quantum access to the ideal primitive, but only classic access to FX. We provide two results for FX in this model. The first establishes the security of FX against non-adaptive attackers. The second establishes security against general adaptive attacks for a variant of FX using a random oracle in place of an ideal cipher. This result relies on the techniques of Zhandry (CRYPTO '19) for lazily sampling a quantum random oracle. An extension to perfectly lazily sampling a quantum random permutation, which would help resolve the adaptive security of standard FX, is an important but challenging open question. We introduce techniques for partially-quantum proofs without relying on analyzing the classical and quantum oracles separately, which is common in existing work. This may be of broader interest. For double encryption we apply a technique of Tessaro and Thiruvengadam (TCC '18) to establish that security reduces to the difficulty of solving the list disjointness problem, which we are able to reduce through a chain of results to the known quantum difficulty of the element distinctness problem.

Quantum Physics,Cryptography and Security

Jiajie Liu,Bing Sun,Chao Li

DOI: https://doi.org/10.1049/ise2.12098

2022-01-01

IET Information Security

Abstract:This study proposes a new iterative structure called the L‐Feistel structure, which shares similar procedures between encryption and decryption and could unify the Feistel structure and the Lai‐Massey structure. This paper evaluates the security of the L‐Feistel structure from the perspective of provable security and classical analysis, respectively. Firstly, it is proved that the 4‐round Key‐Alternating L‐Feistel cipher with independent round keys and independent round functions is secure against 2 n /2 queries that is, birthday‐bound security. Then by presenting the dual structure of the L‐Feistel structure with SP‐type round functions, it is proven that a differential of the L‐Feistel structure is impossible when and only when it is a zero‐correlation linear hull of its dual structure. Finally, the paper constructs impossible differentials, zero‐correlation linear hulls and integral distinguishers of the L‐Feistel structure with SP‐type round functions which cover six and seven rounds, respectively, under different conditions.

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.

Huiqin Xie,Zhangmei Zhao,Ke Wang,Yanjun Li,Hongcai Xin

DOI: https://doi.org/10.3390/math12172678

IF: 2.4

2024-08-31

Mathematics

Abstract:Because of the substantial progress in quantum computing technology, the safety of traditional cryptologic schemes is facing serious challenges. In this study, we explore the quantum safety of the lightweight cipher MIBS and propose quantum key-recovery attacks on the MIBS cipher by utilizing Grover's algorithm and Bernstein–Vazirani algorithm. We first construct linear-structure functions based on the 5-round MIBS cipher according to the characteristics of the linear transformations, and then we obtain a quantum distinguisher of the 5-round MIBS cipher by applying Bernstein–Vazirani algorithm to the constructed functions. Finally, utilizing this distinguisher and Grover's algorithm, we realize a 7-round key-recovery attack on the MIBS cipher, and then we expand the attack to more rounds of MIBS based on a similar idea. The quantum attack on the 7-round MIBS requires 156 qubits and has a time complexity of 210.5. An 8-round attack requires 179 qubits and has a time complexity of 222. Compared with existing quantum attacks, our attacks have better time complexity when attacking the same number of rounds.

mathematics

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1142/s021773232350092x

2023-10-01

Abstract:Classical forgery attacks against Offset Two-round (OTR) structures require some harsh conditions, such as some plaintext and ciphertext pairs need to be known, and the success probability is not too high. To solve these problems, a quantum forgery attack on OTR structure using Simon's algorithm is proposed. The attacker intercept the ciphertext-tag pair $(C,T)$ between the sender and receiver, while Simon's algorithm is used to find the period of the tag generation function in OTR, then we can successfully forge new ciphertext $C'$ ($C'\ne C$) for intercepted tag $T$. For a variant of OTR structure (Pr{/o}st-OTR-Even-Mansour structure), a universal forgery attack, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it, is proposed. It first obtains the secret parameter L using Simon's algorithm, then the secret parameter L is used to find the keys $k_1$ and $k_2$, so that an attacker can forge the changed messages. It only needs several plaintext blocks to help obtain the keys to forge any messages. Performance analysis shows that the query complexity of our attack is $O(n)$, and its success probability is very close to 1.

Quantum Physics,Cryptography and Security,Emerging Technologies

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Yu Sasaki,Lei Wang,Yasuhide Sakai,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-31410-0_9

2012-01-01

Abstract:This paper presents an improved single-key attack on a block-cipher XTEA by using the three-subset meet-in-the-middle (MitM) attack. Firstly, a technique on a generic block-cipher is discussed. It points out that the previous work applying the splice-and-cut technique to the three-subset MitM attack contains incomplete arguments, and thus it requires a very large data complexity, which is close to the code book. This paper gives a corrected procedure to keep the data complexity small. Secondly, the three-subset MitM attack is applied for reduced-round XTEA, which is a 64-bit block-cipher with 64-round Feistel network and a 128-bit key. 25 rounds are attacked with 9 known plaintexts and 2120.40 XTEA computations, while the previous best single-key attack only reaches 23 rounds. In the chosen-plaintext model, the attack is extended to 28 rounds with 237 chosen-plaintexts and 2120.38 computations.

Pierre-Louis Cayrel,Brice Colombier,Vlad-Florin Drăgoi,Alexandre Menu,Lilian Bossuet

DOI: https://doi.org/10.1007/978-3-030-77886-6_15

2021-01-01

Abstract:Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually F2documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {F}_{2}$$end{document}, guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document} instead. By means of laser fault injection, we illustrate how to compute the matrix-vector product in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document} by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document}, we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real-time message recovery attacks against the code-based proposal to the NIST Post-Quantum Cryptography standardization challenge. We perform our attacks in the worst-case scenario, i.e. considering random binary codes, and retrieve the initial message within minutes on a desktop computer.Our attack targets the reference implementation of the Niederreiter cryptosystem in the NIST PQC competition finalist Classic McEliece and is practically feasible for all proposed parameters sets of this submission. For example, for the 256-bit security parameters sets, we successfully recover the message in a couple of seconds on a desktop computer Finally, we highlight the fact that the attack is still possible if only a fraction of the syndrome entries are faulty. This makes the attack feasible even though the fault injection does not have perfect repeatability and reduces the computational complexity of the attack, making it even more practical overall.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).

张鹏,孙兵,李超

DOI: https://doi.org/10.3969/j.issn.1001-2486.2010.04.025

2010-01-01

Abstract:Securities of two special Feistel ciphers with SP-structured round functions against Square attack were studied. By changing the position of P permutation of the round functions in an equivalent manner,some new cryptanalytic results of round-reduced SNAKE(2) and CLEFIA were presented. Time complexity of Square attack against 6-round SNAKE(2) was reduced from 224 to 213.4,and for 6-round CLEFIA,time complexity of Square attack was reduced from 234.4 to 212.4. The results show that,in designing Feistel ciphers with SP-structured round functions,influence of equivalent structures and Square attack should be taken into consideration.