Xiaoyang Dong,Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-16715-2_4

2015-01-01

Abstract:Camellia is a widely used block cipher, which has been selected as an international standard by ISO/IEC. In this paper, we consider a new family of differentials of round-reduced Camellia-128 depending on different key subsets. There are totally 224 key subsets corresponding to 224 types of 8-round differentials, which cover a fraction of \(1-1/2^{15}\) of the keyspace. And each type of 8-round differential consists of \(2^{43}\) differentials. Combining with the multiple differential attack techniques, we give the key-dependent multiple differential attack on 10-round Camellia-128 with data complexity \(2^{91}\) and time complexity \(2^{113}\). Furthermore, we propose a 7-round property for Camellia-192 and an 8-round property for Camellia-256, and then mount the meet-in-the-middle attacks on 12-round Camellia-192 and 13-round Camellia-256, with complexity of \(2^{180}\) encryptions and \(2^{232.7}\) encryptions, respectively. All these attacks start from the first round in a single key setting.

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.

Jiazhe Chen,Keting Jia,Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_2

2011-01-01

Abstract:Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2(175.3) and 2(206.8) respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2(236.1) encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.

Keting Jia,Ning Wang

DOI: https://doi.org/10.1007/978-3-319-40367-0_23

2016-01-01

Abstract:As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

Ya Liu,Anren Yang,Zhiqiang Liu,Wei Li,Qingju Wang,Liang Song,Dawu Gu

DOI: https://doi.org/10.1049/iet-ifs.2014.0279

2016-01-01

IET Information Security

Abstract:As an ISO/IEC international standard, Camellia has been used in various cryptographic applications. In this study, the authors present the best currently known attacks on Camellia-192/256 with key-dependent layers FL/FL-1 (without the whitening layers) by taking advantage of the intrinsic weakness of keyed functions, the redundancy of key schedule and the early abort technique. Specifically, the authors mount the first impossible differential attack on 13-round Camellia-192 with 2(124.79) chosen plaintexts, 2(186.09) 13-round encryptions and 2(129.79) bytes, while the analysis for the biggest number of rounds in previous results on Camellia-192 worked on 12 rounds. Furthermore, the authors successfully attack on 14-round Camellia-256 with 2(122.14) chosen plaintexts, 2(228.33) 14-round encryptions and 2(134.14) bytes. Compared with the previously best known attack on 14-round Camellia-256, the time and memory complexities are reduced by 2(9.87) times and 2(46.06) times, and the data complexity is comparable.

Ya Liu,Dawu Gu,Zhiqiang Liu,Wei Li

DOI: https://doi.org/10.1016/j.jss.2012.05.051

2012-01-01

Abstract:As an international standard adopted by ISO/IEC, the block cipher Camellia has been used in various cryptographic applications. In this paper, we reevaluate the security of Camellia against impossible differential cryptanalysis. Specifically, we propose several 7-round impossible differentials with the FL/FL-1 layer. Based on one of them, we mount impossible differential attacks on 11-round Camellia-192 and 12-round Camellia-256. The data complexities of our attacks on 11-round Camellia-192 and 12-round Camellia-256 are about 2(120) chosen plaintexts and 2(119.8) chosen plaintexts, respectively. The corresponding time complexities are approximately 2(167.1) 11-round encryptions and 2(220.87) 12-round encryptions. As far as we know, our attacks are 2(16.9) times and 2(19.13) times faster than the previously best known ones but have slightly more data. (c) 2012 Elsevier Inc. All rights reserved.

Lei Duo,Chao Li,Keqin Feng

2007-01-01

Abstract:In this paper, a square like attack on Camellia is presented, by which 9-round 128-bit key Camellia without FL/FL-1 functions layer and whitening is breakable with complexity of 286.9 encryptions and 266 data and 12-round 256-bit key Camellia without FL/FL-1 function layer and whitening is breakable with the complexity of 2250.8 encryptions and 266 data. And we can also apply such method to block cipher having XORing sBoxes in diffusion layer.

Zhiqiang Liu,Bing Sun,Qingju Wang,Kerem Varici,Dawu Gu

DOI: https://doi.org/10.1049/iet-ifs.2014.0614

2015-01-01

IET Information Security

Abstract:Camellia is one of the widely used block ciphers, which has been included in the NESSIE block cipher portfolio and selected as a standard by ISO/IEC. In this study, the authors observe that there exist some interesting properties of the FL/FL −1 functions in Camellia. With this observation they derive some weak keys for the cipher, based on which they present the first known 8-round zero-correlation linear distinguisher of Camellia with FL/FL −1 layers. This result shows that the FL/FL −1 layers inserted in Camellia cannot resist zero-correlation linear cryptanalysis effectively for some weak keys since the currently best zero-correlation linear distinguisher for Camellia without FL/FL −1 layers also covers eight rounds. Moreover, by using the novel distinguisher, they launch key recovery attacks on 13-round Camellia-192 and 14-round Camellia-256. To their knowledge, these results are the best for Camellia-192 and Camellia-256 with FL/FL −1 and whitening layers.

李玮,谷大武

DOI: https://doi.org/10.3321/j.issn:1000-436x.2008.10.020

2008-01-01

Abstract:On the basis of the byte-oriented fault model and the differential analysis,a differential fault analysis on the SMS4 cipher by inducing faults in its key schedule was proposed.Mathematical analysis and simulating experiment show that the attack could recover its 128-bit secret key by introducing only eight faulty ciphertexts.Simultaneously,a method of distinguishing effective faults was presented to increase the efficiency of fault injection and decrease the num-ber of faulty ciphertexts.Thus,experiment results are beneficial to the analysis of other iterated block ciphers.

Leibo Li,Keting Jia,Xiaoyun Wang,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-662-48116-5_3

2015-01-01

Abstract:As one of the generalizations of differential cryptanalysis, the truncated differential cryptanalysis has become a powerful toolkit to evaluate the security of block ciphers. In this article, taking advantage of the meet-in-the-middle like technique, we introduce a new method to construct truncated differential characteristics of block ciphers. Based on the method, we propose 10-round and 8-round truncated differential characteristics for CLEFIA and Camellia, respectively, which are ISO standard block ciphers. Applying the 10-round truncated differential characteristic for CLEFIA, we launch attacks on 14/14/15-round CLEFIA-128/192/256 with 2(108), 2(135) and 2(203) encryptions, respectively. For Camellia, we utilize the 8-round truncated differential to attack 11/12-round Camellia-128/192 including the FL/FL-1 and whiten layers with 2(121.3) and 2(185.3) encryptions. As far as we know, most of the cases are the best results of these attacks on both ciphers.

Yaoling Ding,Xiaoyun Wang,Ning Wang,Wei Wang

DOI: https://doi.org/10.1007/s11432-016-9104-3

2017-01-01

Science China Information Sciences

Abstract:Camellia is an international standard adopted by ISO/IEC and is recommended by CRYPTREC and NESSIE project.Wuet al.[1] presented an effective tool to search truncated impossible differentials for word-oriented block ciphers with bijective Sboxes.However,their method only adopted Sbox as the nonlinear part and cannot be applied to Camellia with FL/FL-1 layers.We discover the difference propagation of three basic components employed in the FL/FL-1 layers,i.e.,AND,OR,ROTATION operations,and generalize the automatic search to consider more nonlinear operations.Using this system,we search for impossible differentials of round-reduced Camellia with FL/FL-1 layers.Moreover,by some changes in the nonlinear subsystem,our algorithm can be easily adjusted to be compatible with searching for impossible differentials which are with restrictions on input/output differences or subkeys.Table 1 summaries our searching results and compares them with the previous results.

Wei Li,Dawu Gu,Yong Wang,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.1109/EBISS.2010.5473514

2010-01-01

Abstract:SMS4 is a 128-bit block cipher published by as released as the symmetric-key encryption standard of Wireless Local Area Network(WLAN) by China in 2006. On the differential analysis principle, we propose an extension of differential fault attack on the SMS4 cipher. Mathematical analysis shows that our attack can recover its secret key by introducing about 40 faulty ciphertexts. Our work expands the locations of the fault injection into SMS4.

Wei Li,Dawu Gu,Juanru Li

DOI: https://doi.org/10.1016/j.ins.2008.05.031

IF: 8.1

2008-01-01

Information Sciences

Abstract:The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight environments. On the basis of the byte-oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128-bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Dawu Gu,Juanru Li,Sheng Li,Zhouqian Ma,Zheng Guo,Junrong Liu

DOI: https://doi.org/10.1109/fdtc.2012.16

2012-01-01

Abstract:Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of block cipher. However, it often requires a penultimate or an antepenultimate round faulty encryption and is not suitable for middle round fault. This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniques against lightweight ciphers. The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically, and exploits the weakness of bit-permutation adopted by many lightweight block ciphers under fault attack. Specific attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize are given to prove the validity. The result shows that about one fifth of the iterative rounds are needed to be protected for these lightweight ciphers with bit-permutation.

Zongyue Wang,Xiaoyang Dong,Keting Jia,Jingyuan Zhao

DOI: https://doi.org/10.1155/2014/251853

IF: 1.43

2014-01-01

Mathematical Problems in Engineering

Abstract:The confidentiality of GSM cellular telephony depends on the security of A5 family of cryptosystems. As an algorithm in this family survived from cryptanalysis, A5/3 is based on the block cipher KASUMI. This paper describes a novel differential fault attack on KAUSMI with a 64-bit key. Taking advantage of some mathematical observations on the FL, FO functions, and key schedule, only one 16-bit word fault is required to recover all information of the 64-bit key. The time complexity is only 2(32) encryptions. We have practically simulated the attack on a PC which takes only a few minutes to recover all the key bits. The simulation also experimentally verifies the correctness and complexity.

LI Wei,WU Yixin,GU Dawu,LI Jiayao,CAO Shan,WANG Menglin,CAI Tianpei,DING Xiangwu,LIU Zhiqiang

DOI: https://doi.org/10.7544/issn1000-1239.2018.20180437

2018-01-01

Journal of Computer Research and Development

Abstract:The ciphertext-only fault analysis on the SIMON cipher was proposed by injecting a random nibble fault under the random nibble fault model.After injecting faults,every faulty ciphertext could be decrypted and the statistical distribution of all intermediate states were analyzed by the attackers.On the basis of the previous distinguishers of SEI,GF,MLE,MLE-SEI,GF-SEI and GF-MLE,four novel distinguishers of GF-MAP,HW-MLE,GF-HW and HW-MAP were proposed to reduce faults.The results show that the SIMON cipher cannot resist against the ciphertext-only fault analysis.It provides an important reference for security analysis of other ciphers.

Fan Zhang,Yiran Zhang,Xinjie Zhao,Shize Guo,Ziyuan Liang,Samiya Qureshi

DOI: https://doi.org/10.1109/PADSW.2018.8645010

2018-01-01

Abstract:The block cipher LED is well suited for resource-constrained scenarios. However, it is vulnerable to the recent fault attacks and different results have been achieved even under the same fault model. In this paper, a comprehensive investigation is conducted on the fault analysis on LED. A novel differential fault analysis is proposed, which is based on the so-called constraint equations. The proposed attack can combine constraint equations at different levels, pushing the differential fault analysis on LED towards its limit in terms of the time complexity, the data complexity and the remained key search space. Under random nibble fault model, SINGLE fault injection can reduce the key search space of LED-64 to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">7.90</sup> within 1.89s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">17.65</sup> within 7 minutes in prior finest contributions. As to DFA on LED-128, TWO fault injections can reduce the key search space to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15.82</sup> within 247.88s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">21.96</sup> within 16 minutes in previous work. To the best of our knowledge, the scheme that we proposed is the most efficient fault attack on LED cryptosystems.

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.