Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

XIAO ZHOU,JINGWEI LI,XUEJIA LAI,HAILUN YAN

DOI: https://doi.org/10.12783/dtcse/iceiti2017/18884

2018-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:CAST family of ciphers are the block ciphers created by Carlisle Adams et al. in 1996. One famous member of CAST family is CAST-128, which is a 12-round or 16-round Feistel network. In this paper, we apply the interpolation attack on both 5- round and 16-round CAST-128 Cipher to recover the last round key. We first mount the basic interpolation attack separately on it. After combining with the higher order differential cryptanalysis, our result reduces the time complexity in 231.4 bit operation for 5-round attack. We also apply the optimized interpolation attack on the 16-round CAST-128-like structure which requires 244.2 bit operations and 231 chosen plaintexts.

Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-52993-5_22

2016-01-01

Abstract:SIMON is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts' attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic key-guessing technique, which was proposed to improve the differential attack on Simon recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different sub-keys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23-round Simon32/64, 24-round Simon48/72, 25-round Simon48/96, 30-round Simon64/96, 31-round Simon64/128, 37-round Simon96/96, 38-round Simon96/144, 49-round Simon128/128, 51-round Simon128/192 and 53-round Simon128/256 can be attacked. As far as we know, our attacks on most reduced versions of Simon are the best compared with the previous cryptanalysis results. However, this does not shake the security of Simon family with full rounds.

Nicky Mouha,Qingju Wang,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.1007/978-3-642-34704-7_5

2011-01-01

Abstract:Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.

Ivica Nikolic,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/978-3-662-43933-3_7

2013-01-01

Abstract:In this paper we present known-plaintext single-key and chosen-key attacks on round-reduced LED-64 and LED-128. We show that with an application of the recently proposed slidex attacks [5], one immediately improves the complexity of the previous single-key 4-step attack on LED-128. Further, we explore the possibility of multicollisions and show single-key attacks on 6 steps of LED-128. A generalization of our multicollision attack leads to the statement that no 6-round cipher with two subkeys that alternate, or 2-round cipher with linearly dependent subkeys, is secure in the single-key model. Next, we exploit the possibility of finding pairs of inputs that follow a certain differential rather than a differential characteristic, and obtain chosen-key differential distinguishers for 5-step LED-64, as well as 8-step and 9-step LED-128. We provide examples of inputs that follow the 8-step differential, i.e. we are able to practically confirm our results on 2/3 of the steps of LED-128. We introduce a new type of chosen-key differential distinguisher, called random-difference distinguisher, and successfully penetrate 10 of the total 12 steps of LED-128. We show that this type of attack is generic in the chosen-key model, and can be applied to any 10-round cipher with two alternating subkeys.

Qingju Wang,Zhiqiang Liu,Kerem Varici,Yu Sasaki,Vincent Rijmen,Yosuke Todo

DOI: https://doi.org/10.1007/978-3-319-13039-2_9

2014-01-01

Abstract:SIMON family is one of the recent lightweight block cipher designs introduced by NSA. So far there have been several cryptanalytic results on this cipher by means of differential, linear and impossible differential cryptanalysis. In this paper, we study the security of SIMON32, SIMON48/72 and SIMON48/96 by using integral, zero-correlation linear and impossible differential cryptanalysis. Firstly, we present a novel experimental approach to construct the best known integral distinguishers of SIMON32. The small block size, 32 bits, of SIMON32 enables us to experimentally find a 15-round integral distinguisher, based on which we present a key recovery attack on 21-round SIMON32, while previous best results only achieved 19 rounds. Moreover, we attack 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96 based on 11 and 12-round zero-correlation linear hulls of SIMON32 and SIMON48 respectively. Finally, we propose new impossible differential attacks which improve the previous impossible differential attacks. Our analysis shows that SIMON maintains enough security margin.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

MeiQin Wang,XiaoYun Wang,Lucas C.K. Hui

DOI: https://doi.org/10.1007/s11432-010-0048-2

2010-01-01

Abstract:Differential cryptanalysis is a general cryptanalytic tool that makes use of differentials over some rounds of a cipher, combined with some key bit guesses of one or two rounds. This paper introduces a new cryptanalysis strategy of block ciphers named differential-algebraic cryptanalysis. The idea of differential-algebraic cryptanalysis is to find a differential with high probability and build the multivariable system equations for the last few rounds. The subkey values of the last few rounds can be obtained by filtering the solutions of system equations instead of guessing all possible subkey values. We use the differential-algebraic cryptanalysis to break 8-round Serpent-256. Our attack can recover the 256-bit key with 283 chosen plaintexts, 2180.4 8-round Serpent-256 encryptions and 2176.7 bytes memory. Compared with the previous differential cryptanalysis results, both the data complexity and the time complexity are reduced, but the memory requirements are increased. The time complexity and the memory requirements are very close, and a time-memory tradeoff is exploited.

Shichang Wang,Shiqi Hou,Meicheng Liu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-030-88323-2_9

2021-01-01

Abstract:KNOT is one of the 32 candidates in the second round of NIST’s lightweight cryptography standardization process. The KNOT family consists of bit-slice lightweight Authenticated Encryption with Associated Data (AEAD) and hashing algorithms. In this paper, we evaluate the security for the initialization phase of two members of the KNOT-AEAD family by differential-linear cryptanalysis. More exactly, we analyze KNOT-AEAD(128,256,64) and KNOT-AEAD(128,384,192) which have 128-bit secret keys. As a result, for 15-round KNOT-AEAD(128,256,64), our attack takes 2 48.8 time complexity and 2 47.5 blocks to recover the full 128-bit key. To the best of our knowledge, this is the first full key-recovery attack on 15-round KNOT-AEAD(128,256,64), and it achieves three more rounds compared with the existing work. Regarding 17-round KNOT-AEAD(128,384,192), time complexity of 2 59.2 and data complexity of 2 58.2 are required to launch a key-recovery attack, which is five rounds better than the known result. We stress here that our attacks do not threaten the security of KNOT-AEAD.

Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).

Zhiqiang Liu,Dawu Gu,Ya Liu,Juanru Li,Wei Li

DOI: https://doi.org/10.1007/978-3-642-25243-3_20

2011-01-01

Abstract:In this paper, we firstly present an approach to derive a kind of special linear characteristics for byte-oriented SPN block ciphers. Then based on this approach, we study the security of the block cipher ARIA against linear cryptanalysis and propose an attack on 7-round ARIA with 128/192/256-bit key size, an attack on 9-round ARIA with 192/256-bit key size as well as an attack on 11-round ARIA with 256-bit key size. The designers of ARIA expect that there isn't any effective attack on 8 or more rounds of ARIA with 128/192/256-bit key size by means of linear cryptanalysis. However, our work shows that such attacks do exist. Moreover, our cryptanalytic results are the best known cryptanalytic results of ARIA so far.

Wentan Yi,Shaozhen Chen,Kuanyang Wei

DOI: https://doi.org/10.48550/arXiv.1406.3240

2014-06-17

Abstract:Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with Partial-sum technique and FFT <a class="link-external link-http" href="http://technique.The" rel="external noopener nofollow">this http URL</a> key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs 2^{123.6}known plaintexts (KPs), 2^{121} encryptions and 2^{90.3} bytes memory, and the attack with FFT technique requires 2^{124.1} KPs, 2^{121.5} encryptions and 2^{90.3}bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with 2^{124.6} KPs, 2^{203.5} encryptions and 2^{152} bytes and 7-round ARIA-256 employing FFT technique, requires 2^{124.7} KPs, 2^{209.5} encryptions and 2^{152} bytes. Our results are the first zero-correlation linear cryptanalysis results on ARIA.

Cryptography and Security

Zhiqiang Liu,Shuai Han,Qingju Wang,Wei Li,Ya Liu,Dawu Gu

DOI: https://doi.org/10.1007/s11432-018-9758-4

2019-01-01

Science China Information Sciences

Abstract:Linear cryptanalysis is one of the most important cryptanalytic tools against block ciphers, thus modern block ciphers are always deliberately devised to avoid good long linear characteristics so as to resist linear cryptanalysis and its extensions. Differential-linear cryptanalysis, a powerful extension of linear cryptanalysis, has drawn much attention due to its applicability even in certain case that there is no good long linear characteristic of block ciphers. To further refine differential-linear cryptanalysis, we investigate the correlation distribution of differential-linear hull over random permutation and derive a concrete and concise correlation distribution accordingly. Theoretically, this could make differential-linear cryptanalysis more reasonable and precise. Moreover, the newly-proposed correlation distribution could lead to an interesting potential for improving the effectiveness of differential-linear cryptanalysis.

Xu, Zhichao,Xu, Hong,Tan, Lin,Qi, Wenfeng

DOI: https://doi.org/10.1007/s12095-024-00708-z

2024-04-02

Cryptography and Communications

Abstract:Differential-linear cryptanalysis is an efficient cryptanalysis method to attack ARX ciphers, which have been used to present the best attacks on many ARX primitives such as Chaskey and Chacha. In this paper, we present the differential-linear cryptanalysis of another ARX-based block cipher SPARX-64/128. We first construct multiple 6-round differential-linear distinguishers based on the structure of SPARX-64/128, and then extend them into 14-round differential-linear distinguishers by adding a 7-round differential characteristic before and a one-round linear approximation after the distinguishers. Then we introduce a new linear approximation of modular addition, and use it to extend one more round after the 14-round differential-linear distinguishers. With the 15-round differential-linear distinguishers, we present a differential-linear attack on 18-round SPARX-64/128.

computer science, theory & methods,mathematics, applied

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e97.a.127

2014-01-01

Abstract:The current paper presents an integral cryptanalysis in the single-key setting against light-weight block-cipher LBlock reduced to 22 rounds. Our attack uses the same 15-round integral distinguisher as the previous attacks, but many techniques are taken into consideration in order to achieve comprehensive understanding of the attack; choosing the best balanced-byte position, meet-in-the-middle technique to identify right key candidates, partial-sum technique, relations among subkeys, and combination of the exhaustive search with the integral analysis. Our results indicate that the integral cryptanalysis is particularly useful for LBlock like structures. At the end of this paper, which factor makes the LBlock structure weak against the integral cryptanalysis is discussed. Because designing light-weight cryptographic primitives is an actively discussed topic, we believe that this paper returns some useful feedback to future designs.

Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Yin Lv,Danping Shi,Lei Hu,Yi Guo

DOI: https://doi.org/10.1007/s10623-024-01458-y

IF: 1.4

2024-07-26

Designs Codes and Cryptography

Abstract:Linear cryptanalysis is one of the most classical cryptanalysis methods for block ciphers. Some critical techniques of the key-recovery phase are developed for enhancing linear cryptanalysis. Collard et al. improved the time complexity for last-round key-recovery attacks by using FWT. A generalized key-recovery algorithm for an arbitrary number of rounds with an associated time complexity formula is further provided by Flórez-Gutiérrez and Naya-Plasencia based on FWT in Eurocrypt 2020. However, the previous generalized algorithms are mainly applied to block ciphers with SPN structures, where the round-keys in the first and last round XORed to the state can be easily defined as outer keys . In Asiacrypt 2021, Leurent et al. applied the algorithm by Flórez-Gutiérrez et al. to Feistel structure ciphers. However, for other structures, such as NLFSR-based, the outer keys can not be directly deduced to utilize the previous algorithms. This paper extends the algorithm by Flórez-Gutiérrez et al. for more complicated structures, including but not limited to NLFSR-based, Feistel, ARX, and SPN. We also use the dependency relationships between ciphertext, plaintext and key information bits to eliminate the redundancy calculation and the improve analysis phase. We apply the algorithm with the improved analysis phase to KATAN (NLFSR-based) and SPARX (ARX). We obtain significantly improved results. The linear results we find for SPARX-128/128 beat other cryptanalytic techniques, becoming the best key recovery attacks on this cipher. The previous best linear attacks on KATAN32, KATAN48 and KATAN64 are improved by 9, 4, and 14 rounds, respectively.

mathematics, applied,computer science, theory & methods

Hong Xu,Ping Jia,Geshi Huang,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-319-29814-6_9

2015-01-01

Abstract:LBlock-s is the kernel block cipher of the authentication encryption algorithm LAC submitted to CAESAR competition. The LBlock-s algorithm is almost the same as LBlock except that the former adopts an improved key schedule algorithm with better diffusion property. Using the shifting relation of certain subkeys derived by the new key schedule algorithm, we present a multidimensional zero-correlation linear cryptanalysis on 23-round LBlock-s. The time complexity of the attack is about (2^{75.4}) 23-round encryptions, where (2^{62.3}) known plaintexts are used and 60 subkey bits are guessed, which is three bits less than that of LBlock. Our research showed that the improved key schedule algorithm did not enhance their ability to protect against zero-correlation linear cryptanalysis, and it is better to use the irregular bit-shifting to disturb the shifting relation between subkeys.