Yiyuan Luo,Zhongming Wu,Xuejia Lai

2009-01-01

Abstract:In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the U-method introduced by Kim et al (6). This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptanalysis on some popular block ciphers and give the detailed impossible differential characteristics. On the generalized CAST-256 and generalized MARS block cipher structure, our results are better than the U-method. On the Four-Cell, FOX64, our results are the same as previous best manual works. Thus UID method can be used as a tool for examining the security of a block cipher structure against impossible differential cryptanalysis.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Weijia Xue,Xuejia Lai

DOI: https://doi.org/10.1049/iet-ifs.2014.0183

2015-01-01

IET Information Security

Abstract:The MARS-like structure is a generalised Feistel structure. Unified impossible differential (UID) method is an effective method to discover impossible differential characteristics for block cipher structures. In this study, for a specific kind of MARS-like structure, the authors use UID to show that when n, the number of subblocks, is even, there always exist 3n - 1 rounds impossible differentials. Moreover, the authors prove that when n is odd, the MARS-like structure has impossible differentials for any number of rounds, which is a clear but interesting result.

Xue Weijia,Lai Xuejia

DOI: https://doi.org/10.2991/esac-15.2015.16

2015-01-01

Abstract:Unified Impossible Differential (UID) cryptanalysis is a systematic method to find impossible differentials for block ciphers and there are large amount of cryptanalysis results coming out by using it. ARIA is a Korean block cipher expecting no impossible differential chains on four or more rounds. In this paper, we apply UID to ARIA and 89136 four rounds impossible differential chains are found. With the optimization of the conflict searching algorithms, UID gets better results compared with former cryptanalysis results. Moreover, we conclude that no impossible differential chains with number of rounds larger than four can be found by the UID method.

Kai Zhang,Senpeng Wang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Tairong Shi

DOI: https://doi.org/10.1109/tit.2023.3292241

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, a security evaluation framework for AND-RX ciphers against impossible differential cryptanalysis is proposed. This framework is constructed based on three different methods towards finding the theoretical upper boundary, theoretical lower boundary, and practical boundary of impossible differential distinguishers (short for ID) respectively. The provable security boundary (upper boundary) can be calculated with two round-function-related matrices through a few matrix multiplications, this calculation is beyond actual input and output differences. For searching longer IDs (lower boundary), an automatic method is proposed. With this method, given the input and output difference, all the possible direct and indirect contradictions are detected. For the practical boundary, a method of approximating all the potential longest IDs with concrete differential trails is introduced. The three boundaries validate the correctness from each other. According to our result, on the one hand, the boundaries derived with well-designed ID-construction methods can already reach the practical boundary for some block ciphers and it is unlikely to be improved based on known construction methods or future unknown construction methods. On the other hand, for those ciphers whose current best result does not reach our boundary, longer IDs can be discovered with this framework. The correctness is validated by a series of applications. For the provable security boundary, four family ciphers-SIMON, Simeck, Friet-PC and SAND are investigated. For SIMON and Simeck, the lengths of current longest IDs have reached their provable security boundaries. For Friet-PC and SAND, there is a gap between the provable security boundary and current best results. With the automatic searching method, some longer IDs on Friet-PC and SAND are discovered. For Friet-PC, 128 11-round IDs are discovered, while the previous best differential distinguisher is 9-round. For SAND64, 256 11-round IDs are proposed. For SAND128, 456 14-round IDs are presented. Both results extend previous longest IDs by one round and all these newly proposed distinguishers reached corresponding provable security boundaries. For Simeck, the length of longest IDs has not been improved. However, more distinguishers of the same length are discovered. For Simeck64, the increased ratio for the quantity can reach 300%. Besides, the practical boundary of SIMON is investigated, the results indicate that for SIMON, the practical boundary is identical with the provable security boundary or the boundary derived with the automatic searching method.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Ya Liu,Yifan Shi,Dawu Gu,Bo Dai,Fengyu Zhao,Wei Li,Zhiqiang Liu,Zhiqiang Zeng

DOI: https://doi.org/10.1007/s11432-017-9365-4

2019-01-01

Science China Information Sciences

Abstract:Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2244.4 chosen plaintexts, 2240.1 encryptions, and 2181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2214.4 chosen plaintexts, 2241.3 encryptions, and 2183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2214.4 chosen plaintexts, 2113.4 encryptions, and 287.4 blocks, respectively, or 2206.6 chosen plaintexts, 2153.6 encryptions, and 2111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

Yi Zhang,Guoqiang Liu,Chao Li,Xuan Shen

DOI: https://doi.org/10.1016/j.jisa.2022.103279

IF: 4.96

2022-09-01

Journal of Information Security and Applications

Abstract:To promote the theory and application of cryptology, the design and implementation of cryptographic algorithms, in 2018, the Chinese Association for Cryptologic Research held the National Cryptographic Algorithm Design Competition. After the first round evaluation of security and implementation, FBC is selected one of the 10 block ciphers for the second round. FBC adopts 4-branch Extended Generalized Feistel Networks (EGFN) and it is designed with efficient implementation and good resistance against side-channel attacks. In this paper, we focus on the impossible differential attack, which is one of the most basic cryptanalytical methods, against FBC with 128-bit block size and key size (FBC-128). First, an equivalent expression with improved clarity of the round functions was derived. Then a structural property concerning the relationship among branches was explored. Combining those properties of its round function and structure, 9-round truncated impossible differentials were constructed for FBC-128, which is 2 rounds longer than previous works. Using this distinguisher, 13-round key recovery attack was mounted. The data and time complexity is 2126 chosen-plaintexts and 2122.96 encryptions respectively. To our knowledge, this is the best attack so far in terms of attacked rounds. Our attack exploited the properties of both structure and round function of FBC, and those observation and analysis would be beneficial to the understanding of FBC. Moreover, our results demonstrate when constructing impossible differentials, differentials with low hamming weight input and output difference may not always be optimal, which calls for more comprehensive analysis of the differential pattern.

computer science, information systems

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.

Huiqin Xie,Qiqing Xia,Ke Wang,Yanjun Li,Li Yang

2024-07-14

Abstract:Due to the superiority of quantum computing, traditional cryptography is facing severe threat. This makes the security evaluation of cryptographic systems in quantum attack models significant and urgent. For symmetric ciphers, the security analysis heavily relies on cyptanalytic tools. Thus exploring the use of quantum algorithms to traditional cyptanalytic tools has drawn a lot of attention. In this study, we utilize quantum algorithms to improve impossible differential attack, and design two quantum automatic tools for searching impossible differentials. The proposed quantum algorithms exploit the idea of miss-in-the-middle and the properties of truncated differentials. We rigorously prove their validity and calculate the quantum resources required to implement them. Compared to existing classical automatic cryptanalysis, the quantum tools proposed have the advantage of accurately characterizing S-boxes while only requiring polynomial complexity, and can take into consideration the impact of the key schedules in single-key model.

Quantum Physics

Huiqin Xie,Qiqing Xia,Ke Wang,Yanjun Li,Li Yang

DOI: https://doi.org/10.3390/math12162598

IF: 2.4

2024-08-24

Mathematics

Abstract:Due to the superiority of quantum computing, traditional cryptography is facing a severe threat. This makes the security evaluation of cryptographic systems in quantum attack models both significant and urgent. For symmetric ciphers, the security analysis heavily relies on cryptanalysis tools. Thus, exploring the use of quantum algorithms in traditional cryptanalysis tools has garnered considerable attention. In this study, we utilize quantum algorithms to improve impossible differential attacks and design two quantum automated tools to search for impossible differentials. The proposed quantum algorithms exploit the idea of miss-in-the-middle and the properties of truncated differentials. We rigorously prove their validity and calculate the quantum resources required for their implementation. Compared to the existing classical automated cryptanalysis, the proposed quantum tools have the advantage of accurately characterizing S-boxes while only requiring polynomial complexity, and can take into consideration the impact of the key schedules in a single-key model.

mathematics

Keting Jia,Ning Wang

DOI: https://doi.org/10.1007/978-3-319-40367-0_23

2016-01-01

Abstract:As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

Ya Liu,Dawu Gu,Zhiqiang Liu,Wei Li

DOI: https://doi.org/10.1016/j.jss.2012.05.051

2012-01-01

Abstract:As an international standard adopted by ISO/IEC, the block cipher Camellia has been used in various cryptographic applications. In this paper, we reevaluate the security of Camellia against impossible differential cryptanalysis. Specifically, we propose several 7-round impossible differentials with the FL/FL-1 layer. Based on one of them, we mount impossible differential attacks on 11-round Camellia-192 and 12-round Camellia-256. The data complexities of our attacks on 11-round Camellia-192 and 12-round Camellia-256 are about 2(120) chosen plaintexts and 2(119.8) chosen plaintexts, respectively. The corresponding time complexities are approximately 2(167.1) 11-round encryptions and 2(220.87) 12-round encryptions. As far as we know, our attacks are 2(16.9) times and 2(19.13) times faster than the previously best known ones but have slightly more data. (c) 2012 Elsevier Inc. All rights reserved.

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu

DOI: https://doi.org/10.3837/tiis.2022.03.012

2022-01-01

KSII Transactions on Internet and Information Systems

Abstract:In the year 2020, a new lightweight block cipher mu(2) is proposed. It has both good software and hardware performance, and it is especially suitable for constrained resource environment. However, the security evaluation on mu(2) against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on mu(2) is proposed. In this paper, firstly, some cryptographic properties on mu(2) are proposed. Then several longest 7-round impossible differential distinguishers are constructed. Finally, an impossible differential cryptanalysis on mu(2) reduced to 10 rounds is proposed based on the constructed distinguishers. The time complexity for the attack is about 2(69.63) 10-round mu(2) encryptions, the data complexity is O(2(48)), and the memory complexity is 2(63.57) Bytes. The reported result indicates that mu(2) reduced to 10 rounds can't resist against impossible differential cryptanalysis.

Liu Ya,Dawu Gu,Zhiqiang Liu,Wei Li,Weihao Kong

DOI: https://doi.org/10.1007/978-94-007-2792-2_43

2011-01-01

Abstract:In this paper, we propose a novel impossible differential attack on 7-round AES-128. Firstly, we construct some new 2-round impossible differentials of AES, which allow us to distinguish the wrong keys from the correct key more efficiently. Based on them, we present an impossible differential attack on 7-round AES-128. The data complexity is about $$ 2^{80} $$ chosen plaintexts. Compared to the best known result, the data complexity of our attack is reduced by nearly $$ 2^{ - 26.2} $$ times.

王薇,王小云

DOI: https://doi.org/10.3724/SP.J.1001.2009.00576

2009-01-01

Journal of Software

Abstract:An improved impossible differential attack on the block cipher CLEFIA is presented.CLEFIA was proposed by Sony Corporation at FSE 2007.Combining some observations with new tricks,the wrong keys are filtered out more efficiently,and the original impossible differential attack on 11-round CLEFIA-192/256 published by the designers,is extended to CLEFIA-128/192/256,with about 2103.1 encryptions and 2103.1 chosen plaintexts.By putting more constraint conditions on plaintext pairs,we present an attack on 12-round CLEFIA for all three key lengths with 2119.1 encryptions and 2119.1 chosen plaintexts.Moreover,a birthday sieve method is introduced to decrease the complexity of the precomputation.And an error about the time complexity evaluation in Tsunoo et al.'s attack on 12-round CLEFIA is pointed out and corrected.

Yong Liu,Zejun Xiang,Siwei Chen,Shasha Zhang,Xiangyong Zeng

DOI: https://doi.org/10.1007/978-3-031-33488-7_5

2023-01-01

Abstract:The Mixed Integer Linear Programming (MILP) is a common method of searching for impossible differentials (IDs). However, the optimality of the distinguisher should be confirmed by an exhaustive search of all input and output differences, which is clearly computationally infeasible due to the huge search space. In this paper, we propose a new technique that uses two-dimensional binary variables to model the input and output differences and characterize contradictions with constraints. In our model, the existence of IDs can be directly obtained by checking whether the model has a solution. In addition, our tool can also detect any contradictions between input and output differences by changing the position of the contradictions. Our method is confirmed by applying it to several block ciphers, and our results show that we can find 6-, 13-, and 12-round IDs for Midori-64, CRAFT, and SKINNY-64 within a few seconds, respectively. Moreover, by carefully analyzing the key schedule of Midori-64, we propose an equivalent key transform technique and construct a complete MILP model for an 11-round impossible differential attack (IDA) on Midori-64 to search for the minimum number of keys to be guessed. Based on our automatic technique, we present a new 11-round IDA on Midori-64, where 23 nibbles of keys need to be guessed, which reduces the time complexity compared to previous work. The time and data complexity of our attack are 2 116.59 and 2 60 , respectively. To the best of our knowledge, this is the best IDA on Midori-64 at present.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Jiazhe Chen,Keting Jia,Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_2

2011-01-01

Abstract:Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2(175.3) and 2(206.8) respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2(236.1) encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.