Yiyuan Luo,Xuejia Lai,Zheng Gong

DOI: https://doi.org/10.1016/j.ipl.2010.10.012

IF: 0.851

2010-01-01

Information Processing Letters

Abstract:In this paper we find that the two-round (extended) Lai–Massey scheme is not pseudorandom and three-round (extended) Lai–Massey scheme is not strong pseudorandom. Combined with previous work, we prove that three rounds are necessary and sufficient for the pseudorandomness and four rounds are necessary and sufficient for the strong pseudorandomness.

Yiyuan Luo,Xuejia Lai,Jing Hu

2015-01-01

Journal of information science and engineering

Abstract:In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any epsilon > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q similar to N1-epsilon combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.

Yiyuan Luo,Xuejia Lai,Yujie Zhou

DOI: https://doi.org/10.1007/s10623-016-0235-2

IF: 1.4

2016-01-01

Designs Codes and Cryptography

Abstract:In this paper we present generic attacks on the Lai–Massey scheme inspired by Patarin’s attacks on the Feistel scheme. For bijective round functions, the attacking results are better than non-bijective round functions for the 3, 4-round Lai–Massey scheme. Our results show that there are some security differences of these two schemes against known attacks. The generic attacks on the 4-round and 5-round Lai–Massey scheme require more complexity than the 4-round and 5-round Feistel scheme respectively. Through the analysis we believe the Lai–Massey scheme has some advantage than the Feistel scheme within 5 rounds.

Le Dong,Danxun Zhang,Wenya Li,Wenling Wu

DOI: https://doi.org/10.1007/s10623-024-01408-8

IF: 1.4

2024-05-08

Designs Codes and Cryptography

Abstract:In this study, we present the first yoyo attack to recover the secret round function of the 4-round Lai-Massey scheme with an affine orthomorphism. We first perform a yoyo attack on 3-round Lai-Massey scheme. However, the original method for constructing plaintext equations is not sufficiently effective. To solve this problem, we partition the ciphertext and plaintext spaces into subsets, which provides a fresh perspective on our yoyo attack. From this perspective, our study presents two improvements. One is that we devise an improved yoyo game in which the established ciphertext pool significantly narrows the search of good pairs compared with random selection, and the inserted filter can eliminate all wrong pairs using simple XOR calculations. Consequently, the yoyo game is advantageous for reducing the complexity of seeking good pairs, and we can avoid the complexity involved in solving equations generated using wrong pairs. The other is that we present a valid method for solving equations, which helps to reduce the number of yoyos required to recover the first-round function. After removing the first round, the look-up tables of the remaining two round functions of the 3-round Lai-Massey scheme can be retrieved by selecting the inputs and accessing the outputs. On the basis of this attack, we mount a yoyo attack on the 4-round Lai-Massey scheme to recover the fourth-round function and then apply the above attack to the remaining three rounds. In general, the complete recovery of the 4-round Lai-Massey scheme requires time complexity O and memory O , where .

mathematics, applied,computer science, theory & methods

Chun Guo,Yiyuan Luo,Chenyu Xiao,Xiao, Chenyu

DOI: https://doi.org/10.1007/s10623-024-01361-6

IF: 1.4

2024-02-18

Designs Codes and Cryptography

Abstract:We study the Lai–Massey construction defined over bit strings w.r.t. the notion of sequential indifferentiability, which was introduced by Mandal et al. (in: Cramer (ed) TCC 2012, LNCS, Springer, Heidelberg, vol 7194, pp 285–302, 2012) and formalized known-key security of blockcipher structures. We first exhibit a sequential distinguisher against 5-round Lai–Massey structure when the underlying orthomorphism is linear. This enhances a 2011 result of Aumasson. As our main result, we (for the first time) prove sequential indifferentiability for 6-round Lai–Massey constructions (on bit strings) using six independent random round functions.

mathematics, applied,computer science, theory & methods

xuejia lai,james l massey,sean d murphy

DOI: https://doi.org/10.1007/3-540-46416-6_2

1991-01-01

Abstract:This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α, β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES(64) based on this differential is shown to require all 264 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consistent with all the original design principles, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resistant to differential cryptanalysis.

Wenling Wu,Wentao Zhang,Dongdai Lin

2006-01-01

Abstract:This paper studies the security against difierential/linear cryptanalysis and the pseudorandomness for a class of generalized Feis- tel scheme with SP round function called GFSP. We consider the mini- mum number of active s-boxes in some consecutive rounds of GFSP,i.e., in four, eight and sixteen consecutive rounds, which provide the up- per bound of the maximum difierential/linear probabilities of 16-round GFSP scheme, in order to evaluate the strength against difierential/linear cryptanalysis. Furthermore, We investigate the pseudorandomness of GFSP, point out 7-round GFSP is not pseudorandom for non-adaptive adversary, by using some distinguishers, and prove that 8-round GFSP is pseudorandom for any adversaries.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-48800-3_16

2015-01-01

Abstract:Iterated Even-Mansour scheme (IEM) is a generalization of the basic 1-round proposal (ASIACRYPT '91). The scheme can use one key, two keys, or completely independent keys.Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time.This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys:IDEMr((k(1), k(2)), m) = k(i) circle plus (P-r( ... k(1) circle plus P-2(k(2) circle plus P-1(k(1) circle plus m)) ...)),where i = 2 when r is odd, and i = 1 when r is even. As results, this work proves that 15 rounds can achieve (full) indifferentiability from an ideal cipher with O(q(8)/2(n)) security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability (a notion introduced at TCC 2012) with O(q(6)/2(n)) security bound, so that IDEM7 is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-48800-3_16

2015-01-01

Abstract:Iterated Even-Mansour scheme IEM is a generalization of the basic 1-round proposal ASIACRYPT '91. The scheme can use one key, two keys, or completely independent keys. Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two relatively independent keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time. This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double independent round-keys: $$\\begin{aligned} \\text {IDEM}_rk_1,k_2,m=k_i\\oplus P_r\\ldots k_1\\oplus P_2k_2\\oplus P_1k_1\\oplus m\\ldots , \\end{aligned}$$ where $$i=2$$ when r is odd, and $$i=1$$ when r is even. As results, this work proves that 15 rounds can achieve full indifferentiability from an ideal cipher with $$O{q^{8}}/{2^n}$$ security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability a notion introduced at TCC 2012 with $$O{q^{6}}/{2^n}$$ security bound, so that $$\\text {IDEM}_{7}$$ is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

Jiahong Wu,Nan Liu,Wei Kang

2023-12-10

Abstract:In this paper, we consider the case that sharing many secrets among a set of participants using the threshold schemes. All secrets are assumed to be statistically independent and the weak secure condition is focused on. Under such circumstances we investigate the infimum of the (average) information ratio and the (average) randomness ratio for any structure pair which consists of the number of the participants and the threshold values of all secrets. For two structure pairs such that the two numbers of the participants are the same and the two arrays of threshold values have the subset relationship, two leading corollaries are proved following two directions. More specifically, the bound related to the lengths of shares, secrets and randomness for the complex structure pair can be truncated for the simple one; and the linear schemes for the simple structure pair can be combined independently to be a multiple threshold scheme for the complex one. The former corollary is useful for the converse part and the latter one is helpful for the achievability part. Three new bounds special for the case that the number of secrets corresponding to the same threshold value $ t $ is lager than $ t $ and two novel linear schemes modified from the Vandermonde matrix for two similar cases are presented. Then come the optimal results for the average information ratio, the average randomness ratio and the randomness ratio. We introduce a tiny example to show that there exists another type of bound that may be crucial for the information ratio, to which we only give optimal results in three cases.

Information Theory

Ping JIA,Hong XU,Xue-jia LAI

DOI: https://doi.org/10.3969/j.issn.0372-2112

2017-01-01

Abstract:LBlock-s is the kernel block cipher of the authentication encryption algorithm LAC submitted to CAESAR competition.The general structure of LBlock-s is almost the same as that of LBlock,but LBlock-s adopts an improved key schedule algorithm with better diffusion property.Using the shifting relation of subkeys derived by the key schedule algorithm,an impossible differential cryptanalysis on 21-round LBlock-s was presented based on a 14-round impossible differential.The time and data complexities are 2.67.61 21-round encryptions and 2.63 chosen plaintexts respectively,and the number of subkey bits needed to be guessed is 72.Using partial-matching method,an impossible differential cryptanalysis on LBlock-s up to 23-round was also presented with time complexity less than exhaustion of all key bits.This work is useful for the security analysis of LAC algorithm.

Zhongming Wu,Yiyuan Luo,Xuejia Lai,Bo Zhu

DOI: https://doi.org/10.1007/978-3-642-14597-1_15

2010-01-01

Abstract:In this paper, we analyze the pseudorandomness of the high level structure of FOX64, and describe a 2-round pseudorandomness distinguisher and a 3-round strong pseudorandomness distinguisher, and thus prove that 3-round and 4-round are necessary to achieve the pseudorandomness and strong pseudorandomness respectively. We also find a 4-round impossible difference characteristic. By using it, an adversary can attack 5, 6 and 7-round FOX64 with 269, 2133 and 2197 encryptions respectively. which improves the best known attack by a factor of 240.4. This attack can be extended to 5-round FOX128 with 2133 encryptions.

Nianhao Zhu,Yujie Zhou,Hongming Liu

DOI: https://doi.org/10.1109/SNS-PCS.2013.6553838

2013-01-01

Abstract:Leakage power analysis (LPA) attacks aim at recovering the secret key of a cryptographic device from measurements of its static (leakage) power, as opposite to traditional power analysis attacks that are focused on the dynamic power. This novel power analysis attacks take advantage of the dependence of the leakage power of CMOS integrated circuits on the data they process. With the development of integrated circuits technology, LPA attacks are becoming a serious threat to the information security of cryptographic circuits in sub-100-nm technologies. This paper proposes a LPA countermeasure circuit based on random ring oscillators, which efficiently resists the LPA attacks. The implementation of the critical S-Box of the advanced encryption standard (AES) algorithm shows that using countermeasure of random ring oscillators can thwart LPA attack. Moreover, the countermeasure circuit can be mounted onto different symmetric algorithm which has S-Box architecture. Based on our approach, a LPA-resistant AES chip can be proposed to maintain the same throughput with less than 2K extra gates. Simulation results show the countermeasure proposed in this paper is a promising approach to implement a LPA-resistant crypto processor.

Lin Wang,Yang Wang,Huiwen Jia

DOI: https://doi.org/10.1049/2024/2786399

2024-01-23

IET Information Security

Abstract:Lattice-based encryption schemes are significant cryptographic primitives to defend information security against quantum menace, and the decryption failure rate is related to both theoretical and realistic security. We quantitatively analyze how the floating-point arithmetic and neglecting small probabilities impact the precision, and propose a new effective and efficient test of the failure probability. Therein explicit criteria are given to select the floating-point datatype and to decide which small probabilities should be abandoned. Furthermore, the outcome is theoretically ensured to meet a given precision. Moreover, by combining the heuristic estimate and the precise simulation, this test is more efficient than previously neglecting small probabilities in a practical way.

computer science, information systems, theory & methods

LIU Ren-jie,ZHOU Yu-jie

DOI: https://doi.org/10.3969/j.issn.1009-2552.2011.09.021

2011-01-01

Abstract:In recent years,many countermeasures against power analysis are proposed,such as the dual-rail technique,the masking technique and the dummy operation insertion technique.Close scrutiny of them reveals that they all have potential pitfalls and are vulnerable to statistical analysis(including high-order statistical analysis).This paper proposes a novel cryptosystem which brings forward a new structure making use of random dummy round-function blocks during encryption/decryption process.The cryptosystem makes the encryption/decryption process unfixed and unrepeatable,which brings much trouble to DPA data analysis.It designs to 51-microcontroller and makes power analysis experiments on the cryptosystem.It proves to be strongly resistant against power analysis.

Zhifang Zhang,Mulan Liu,Yeow Meng Chee,San Ling,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89255-7

2008-12-13

Abstract:Strongly multiplicative linear secret sharing schemes (LSSS) have been a powerful tool for constructing secure multiparty computation protocols. However, it remains open whether or not there exist efficient constructions of strongly multiplicative LSSS from general LSSS. In this paper, we propose the new concept of a 3-multiplicative LSSS, and establish its relationship with strongly multiplicative LSSS. More precisely, we show that any 3-multiplicative LSSS is a strongly multiplicative LSSS, but the converse is not true; and that any strongly multiplicative LSSS can be efficiently converted into a 3-multiplicative LSSS. Furthermore, we apply 3-multiplicative LSSS to the computation of unbounded fan-in multiplication, which reduces its round complexity to four (from five of the previous protocol based on strongly multiplicative LSSS). We also give two constructions of 3-multiplicative LSSS from Reed-Muller codes and algebraic geometric codes. We believe that the construction and verification of 3-multiplicative LSSS are easier than those of strongly multiplicative LSSS. This presents a step forward in settling the open problem of efficient constructions of strongly multiplicative LSSS from general LSSS.

Cryptography and Security

Yong Wang,Zhuo Liu,Leo Yu Zhang,Fabio Pareschi,Gianluca Setti,Guanrong Chen

DOI: https://doi.org/10.1109/tcyb.2021.3129808

IF: 11.8

2021-01-01

IEEE Transactions on Cybernetics

Abstract:Applying the chaos theory for secure digital communications is promising and it is well acknowledged that in such applications the underlying chaotic systems should be carefully chosen. However, the requirements imposed on the chaotic systems are usually heuristic, without theoretic guarantee for the resultant communication scheme. Among all the primitives for secure communications, it is well accepted that (pseudo) random numbers are most essential. Taking the well-studied 2-D coupled map lattice (2D CML) as an example, this article performs a theoretical study toward pseudorandom number generation with the 2D CML. In so doing, an analytical expression of the Lyapunov exponent (LE) spectrum of the 2D CML is first derived. Using the LEs, one can configure system parameters to ensure the 2D CML only exhibits complex dynamic behavior, and then collect pseudorandom numbers from the system orbits. Moreover, based on the observation that least significant bit distributes more evenly in the (pseudo) random distribution, an extraction algorithm E is developed with the property that when applied to the orbits of the 2D CML, it can squeeze uniform bits. In implementation, if fixed-point arithmetic is used in binary format with a precision of z bits after the radix point, E can ensure that the deviation of the squeezed bits is bounded by 2^-z . Further simulation results demonstrate that the new method not only guides the 2D CML model to exhibit complex dynamic behavior but also generates uniformly distributed independent bits with good efficiency. In particular, the squeezed pseudorandom bits can pass both NIST 800-22 and TestU01 test suites in various settings. This study thereby provides a theoretical basis for effectively applying the 2D CML to secure communications.

automation & control systems,computer science, cybernetics, artificial intelligence

Shuai Han,Shengli Liu,Lin Lyu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-26951-7_15

2019-01-01

Abstract:We propose the concept of quasi-adaptive hash proof system (QAHPS), where the projection key is allowed to depend on the specific language for which hash values are computed. We formalize leakage-resilient(LR)-ardency for QAHPS by defining two statistical properties, including LR-< L-0, L-1 >-universal and LR-< L-0, L-1 >-key-switching. We provide a generic approach to tightly leakage-resilient CCA (LR-CCA) secure public-key encryption (PKE) from LR-ardent QAHPS. Our approach is reminiscent of the seminal work of Cramer and Shoup (Eurocrypt'02), and employ three QAHPS schemes, one for generating a uniform string to hide the plaintext, and the other two for proving the well-formedness of the ciphertext. The LR-ardency of QAHPS makes possible the tight LR-CCA security. We give instantiations based on the standard k-Linear (k-LIN) assumptions over asymmetric and symmetric pairing groups, respectively, and obtain fully compact PKE with tight LR-CCA security. The security loss is O(log Q(e)) where Q(e) denotes the number of encryption queries. Specifically, our tightly LR-CCA secure PKE instantiation from SXDH has only 4 group elements in the public key and 7 group elements in the ciphertext, thus is the most efficient one.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-540-79499-8_32

2008-01-01

Abstract:The Lu-Lee public key cryptosystem and Adiga-Shankar's modification are considered to be insecure with cryptanalysis by integer linear programing, since only 2 or 3 unknown message blocks are used in the modular linear equation for encryption procedure. Unfortunately integer linear programming algorithms falls in trouble with more unknowns. In this paper we present a probabilistic algorithm for cryptanalysis of general Lu-Lee type systems with nmessage blocks. The new algorithm is base on lattice reduction and succeeds to break Lu-Lee type systems with up to 68 message blocks.

Ruoyu Ding,Chi Cheng,Yue Qin,Yue Qin Qin

DOI: https://doi.org/10.1109/jsyst.2022.3161264

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:To improve the security of mobile networks in the postquantum era, Dabra et al. recently proposed a lattice-based anonymous password-authenticated key exchange (LBA-PAKE) protocol for mobile devices. Especially, LBA-PAKE is claimed to support the key reuse. However, we find that LBA-PAKE is still vulnerable to the signal leakage attack when the master key is reused. We propose two strategies to reduce the needed number of queries in our attack. Compared to the method of Bindel et al., our method reduces the required queries by more than 75%. Our experiments show that breaking LBA-PAKE needs less than 2 min. Through analysis of why LBA-PAKE fails in their security proof, we further propose an improved protocol without incurring extra computation costs. The formal security analysis shows that our improved scheme supports all features of LBA-PAKE while thwarting the signal leakage attack. Moreover, the implementation of our improved protocol demonstrates its efficiency in mobile networks.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science