Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).

Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yi Zhang,Guoqiang Liu,Chao Li,Xuan Shen

DOI: https://doi.org/10.1016/j.jisa.2022.103279

IF: 4.96

2022-09-01

Journal of Information Security and Applications

Abstract:To promote the theory and application of cryptology, the design and implementation of cryptographic algorithms, in 2018, the Chinese Association for Cryptologic Research held the National Cryptographic Algorithm Design Competition. After the first round evaluation of security and implementation, FBC is selected one of the 10 block ciphers for the second round. FBC adopts 4-branch Extended Generalized Feistel Networks (EGFN) and it is designed with efficient implementation and good resistance against side-channel attacks. In this paper, we focus on the impossible differential attack, which is one of the most basic cryptanalytical methods, against FBC with 128-bit block size and key size (FBC-128). First, an equivalent expression with improved clarity of the round functions was derived. Then a structural property concerning the relationship among branches was explored. Combining those properties of its round function and structure, 9-round truncated impossible differentials were constructed for FBC-128, which is 2 rounds longer than previous works. Using this distinguisher, 13-round key recovery attack was mounted. The data and time complexity is 2126 chosen-plaintexts and 2122.96 encryptions respectively. To our knowledge, this is the best attack so far in terms of attacked rounds. Our attack exploited the properties of both structure and round function of FBC, and those observation and analysis would be beneficial to the understanding of FBC. Moreover, our results demonstrate when constructing impossible differentials, differentials with low hamming weight input and output difference may not always be optimal, which calls for more comprehensive analysis of the differential pattern.

computer science, information systems

Lifang Liang,Xiaoni Du

DOI: https://doi.org/10.1080/01611194.2024.2334038

2024-05-18

Cryptologia

Abstract:NBC is a class of Type-II generalized Feistel structure algorithms with excellent software and hardware implementation performance. In this paper, we evaluate the security of NBC from the view point of multiple impossible differential. More precisely, using the idea of combining the matrix method and "meet-in-the-middle," we first obtain 4 types of 11-round impossible differentials for NBC-128 and 32 types of 14-round impossible differentials for NBC-256, respectively. Then, according to the characteristics of Feistel structure and the distinguisher, we perform 17-round, 19-round, and 22-round multiple impossible differential cryptanalysis on NBC-128-128, NBC-128-256, and NBC-256-256, respectively. Results indicate that NBC has sufficient security to resist an impossible differential attack, and the data and time complexity of our attack has been significantly reduced compared to previous ones.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Keting Jia,Leibo Li

DOI: https://doi.org/10.1007/978-3-642-35416-8_2

2012-01-01

Abstract:MISTY1 is a Feistel block cipher with a 64-bit block and a 128-bit key. It is one of the final NESSIE portfolio of block ciphers, and has been recommended for Japanese e-Government ciphers by the CRYPTREC project. In this paper, we improve the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity. Furthermore, combing with the FL function properties and the key schedule algorithm, we propose an impossible differential attack on 7-round MISTY1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions. It is the first attack on 7-round MISTY1 in the known plaintext model to the best of our knowledge. Besides, we show an improved impossible differential attack on 7-round MISTY1 without FL layers with 292.2 7-round encryptions and 255 chosen plaintexts, which has lower time complexity than previous attacks.

王薇,王小云

DOI: https://doi.org/10.3724/SP.J.1001.2009.00576

2009-01-01

Journal of Software

Abstract:An improved impossible differential attack on the block cipher CLEFIA is presented.CLEFIA was proposed by Sony Corporation at FSE 2007.Combining some observations with new tricks,the wrong keys are filtered out more efficiently,and the original impossible differential attack on 11-round CLEFIA-192/256 published by the designers,is extended to CLEFIA-128/192/256,with about 2103.1 encryptions and 2103.1 chosen plaintexts.By putting more constraint conditions on plaintext pairs,we present an attack on 12-round CLEFIA for all three key lengths with 2119.1 encryptions and 2119.1 chosen plaintexts.Moreover,a birthday sieve method is introduced to decrease the complexity of the precomputation.And an error about the time complexity evaluation in Tsunoo et al.'s attack on 12-round CLEFIA is pointed out and corrected.

Yao-Ling Ding,Jing-Yuan Zhao,Lei-Bo Li,Hong-Bo Yu

DOI: https://doi.org/10.6688/jise.2017.33.4.12

2017-01-01

Journal of information science and engineering

Abstract:PRINCE is a lightweight block cipher proposed at ASIACRYPT 2012, which is composed of a 12-round core cipher referred to as PRINCEcore and two key whitening layers. The security of the cipher mainly depends on PRINCEcore. In this paper, we give some observations on M' operation, a part of the linear layer in the round function, to construct a 4-round impossible differential distinguisher. Based on the distinguisher, impossible differential attacks on 6-round and 7-round PRINCEcore are launched. Moreover, we extend them to analysis 6- and 7-round PRINCE by guessing equivalent keys. The complexity of our attacks meets the security claims stated by the designers.

MeiQin Wang,XiaoYun Wang,Lucas C.K. Hui

DOI: https://doi.org/10.1007/s11432-010-0048-2

2010-01-01

Abstract:Differential cryptanalysis is a general cryptanalytic tool that makes use of differentials over some rounds of a cipher, combined with some key bit guesses of one or two rounds. This paper introduces a new cryptanalysis strategy of block ciphers named differential-algebraic cryptanalysis. The idea of differential-algebraic cryptanalysis is to find a differential with high probability and build the multivariable system equations for the last few rounds. The subkey values of the last few rounds can be obtained by filtering the solutions of system equations instead of guessing all possible subkey values. We use the differential-algebraic cryptanalysis to break 8-round Serpent-256. Our attack can recover the 256-bit key with 283 chosen plaintexts, 2180.4 8-round Serpent-256 encryptions and 2176.7 bytes memory. Compared with the previous differential cryptanalysis results, both the data complexity and the time complexity are reduced, but the memory requirements are increased. The time complexity and the memory requirements are very close, and a time-memory tradeoff is exploited.

Keting Jia,Ning Wang

DOI: https://doi.org/10.1007/978-3-319-40367-0_23

2016-01-01

Abstract:As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Jiazhe Chen,Keting Jia,Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_2

2011-01-01

Abstract:Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2(175.3) and 2(206.8) respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2(236.1) encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.

Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Xiaoyang Dong,Yanzhao Shen

2016-01-01

Abstract:Midori is a hardware-oriented lightweight block cipher designed by Banik et al. in ASIACRYPT 2015. It has two versions according to the state sizes, i.e. Midori64 and Midori128. In this paper, we explore the security of Midori64 against truncated differential and related-key differential attacks. By studying the compact representation of Midori64, we get the branching distribution properties of almost MDS matrix used by Midori64. By applying an automatic truncated differential search algorithm developed by Moriai et al. in SAC 1999, we get 3137 4-round truncated differentials of Midori64. In addition, we find some 2-round iterative differential patterns for Midori64. By searching the differential characteristics matching the differential pattern, we find some iterative 2-round differentials with probability of 2−24, based on these differentials, a 11-round related-key differential characteristic is constructed. Then we mount a 14-round(out of 16 full rounds) related-key differential attack on Midori64. As far as we know, this is the first related-key differential attack on Midori64.

Duan LIU,Yibo LUO,Keting JIA,Guoyan ZHANG,Guangnan ZOU,Qidi YOU,Ying CHEN

DOI: https://doi.org/10.1360/SSI-2023-0189

2024-01-01

Abstract:FBC is a lightweight block cipher algorithm with a simple structure and is flexible for implementation with hardware and software.It was one of the 10 algorithms that was promoted to the second round of the National Cryptographic Algorithm Design Competition held by the Chinese Cryptographic Association(CACR)in 2018.The block cipher FBC family includes three versions and supports 128-and 256-bit blocks and 128-and 256-bit keys.In this paper,we focus on the 128-bit versions.We develop a new 14-round differential path for FBC128-128 based on the SAT-based automatic search model,with a probability of 2-102.25.Based on this differential path,we perform differential cryptanalysis of 18-round FBC128-128 and 20-round FBC128-256 keys.The differential cryptanalysis of 18-round FBC128-128 costs the time complexity of 2101.5 and memory complexity of 252.For the differential analysis of 20-round FBC128-256,the time and memory complexities are 2184 and 296,respectively.

Asli Bay,Jorge Nakahara,Serge Vaudenay

DOI: https://doi.org/10.1007/978-3-642-17619-7_1

2010-01-01

Abstract:This paper presents the first independent and systematic linear, differential and impossible-differential (ID) cryptanalyses of MIBS, a lightweight block cipher aimed at constrained devices such as RFID tags and sensor networks. Our contributions include linear attacks on up to 18-round MIBS, and the first ciphertext-only attacks on 13-round MIBS. Our differential analysis reaches 14 rounds, and our impossible-differential attack reaches 12 rounds. These attacks do not threaten the full 32-round MIBS, but significantly reduce its margin of security by more than 50%. One fact that attracted our attention is the striking similarity of the round function of MIBS with that of the Camellia block cipher. We actually used this fact in our ID attacks. We hope further similarities will help build better attacks for Camellia as well.

Rui Zong,Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-016-9075-6

2017-01-01

Science China Information Sciences

Abstract:Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016, and can be used to construct high throughput block ciphers by using the Even-Mansour construction, permutationbased hashing, and wide-block authenticated encryption. This paper shows a 9-round impossible differential of Simpira-4. To the best of our knowledge, this is the first 9-round impossible differential. To determine some efficient key recovery attacks on its block cipher mode (Even-Mansour construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight 6-round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode; each 6-round impossible differential helps recover 32 bits of the master key (512 bits), and in total, half of the master key bits are recovered. The attacks require 257 chosen plaintexts and 257 7-round encryptions. Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode. This helps recover the full key space (512 bits) with a data complexity of 2170 chosen plaintexts and time complexity of 2170 8-round encryptions. Those are the first attacks on the round-reduced Simpira v2 and do not threaten the Even-Mansour mode with the full 15-round Simpira-4.

Ting Fan,Lingchen Li,Yongzhuang Wei,Enes Pasalic

DOI: https://doi.org/10.1177/15501329221119398

IF: 1.938

2022-09-04

International Journal of Distributed Sensor Networks

Abstract:International Journal of Distributed Sensor Networks, Volume 18, Issue 9, September 2022. Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers' security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.

Wei Wang,Xiaoyun Wang

2007-01-01

Abstract:This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11-round CLEFIA-192/256, which also firstly works for CLEFIA-128. The complexity is about 2 encryptions and 2 chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12-round CLEFIA for all three key lengths with 2 encryptions and 2 chosen plaintexts. For CLEFIA-192/256, our attack is applicable to 13-round variant, of which the time complexity is about 2, and the data complexity is 2. We also extend our attack to 14-round CLEFIA-256, with about 2 encryptions and 2 chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation.