Yiyuan Luo,Zhongming Wu,Xuejia Lai

2009-01-01

Abstract:In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the U-method introduced by Kim et al (6). This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptanalysis on some popular block ciphers and give the detailed impossible differential characteristics. On the generalized CAST-256 and generalized MARS block cipher structure, our results are better than the U-method. On the Four-Cell, FOX64, our results are the same as previous best manual works. Thus UID method can be used as a tool for examining the security of a block cipher structure against impossible differential cryptanalysis.

Yiyuan Luo,Xuejia Lai,Zhongming Wu,Guang Gong

DOI: https://doi.org/10.1155/2017/5980251

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, which we call the unified impossible differential finding method or UID-method. It is more effective than the U-method introduced by Kim et al. We apply the UID-method to some well-known block cipher structures. Using it, we find a 16-round impossible differential for Gen-Skipjack and a 19-round impossible differential for Gen-CAST256. By this result we can disprove Sung’s long standing conjecture that no such differential is possible for 16 or more rounds. On Gen-MARS and SMS4, the impossible differentials found by the UID-method are much longer than those found by the U-method. On the Four-Cell and Gen-RC6 block ciphers, our results are the same as the best results previously obtained.

SHEN Yu,LI Wei,GU Dawu,WU Yixin,CAO Shan,LIU Ya,LIU Zhiqiang,ZHOU Zhihong

DOI: https://doi.org/10.11959/j.issn.1000?436x.2019033

2019-01-01

Abstract:ARIA is a Korean standard block cipher,which is flexible to provide security for software and hardware implementation.Since its introduction,some research of fault analysis is devoted to attacking the last two rounds of ARIA.It is an open problem to know whether provoking faults at some former rounds of ARIA allowed recovering the secret key.An answer was given to solve this problem by showing a novel integral differential fault analysis on two rounds earlier of ARIA.The mathematical analysis and simulating experiments show that the attack can successfully recover its secret key by fault injections.The results in this study describe that the integral fault analysis is a strong threaten to the security of ARIA.The results are beneficial to the analysis of the same type of other block ciphers.

Wei Li,Dawu Gu,Juanru Li

DOI: https://doi.org/10.1016/j.ins.2008.05.031

IF: 8.1

2008-01-01

Information Sciences

Abstract:The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight environments. On the basis of the byte-oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128-bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Wentan Yi,Shaozhen Chen,Kuanyang Wei

DOI: https://doi.org/10.48550/arXiv.1406.3240

2014-06-17

Abstract:Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with Partial-sum technique and FFT <a class="link-external link-http" href="http://technique.The" rel="external noopener nofollow">this http URL</a> key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs 2^{123.6}known plaintexts (KPs), 2^{121} encryptions and 2^{90.3} bytes memory, and the attack with FFT technique requires 2^{124.1} KPs, 2^{121.5} encryptions and 2^{90.3}bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with 2^{124.6} KPs, 2^{203.5} encryptions and 2^{152} bytes and 7-round ARIA-256 employing FFT technique, requires 2^{124.7} KPs, 2^{209.5} encryptions and 2^{152} bytes. Our results are the first zero-correlation linear cryptanalysis results on ARIA.

Cryptography and Security

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

王薇,王小云

DOI: https://doi.org/10.3724/SP.J.1001.2009.00576

2009-01-01

Journal of Software

Abstract:An improved impossible differential attack on the block cipher CLEFIA is presented.CLEFIA was proposed by Sony Corporation at FSE 2007.Combining some observations with new tricks,the wrong keys are filtered out more efficiently,and the original impossible differential attack on 11-round CLEFIA-192/256 published by the designers,is extended to CLEFIA-128/192/256,with about 2103.1 encryptions and 2103.1 chosen plaintexts.By putting more constraint conditions on plaintext pairs,we present an attack on 12-round CLEFIA for all three key lengths with 2119.1 encryptions and 2119.1 chosen plaintexts.Moreover,a birthday sieve method is introduced to decrease the complexity of the precomputation.And an error about the time complexity evaluation in Tsunoo et al.'s attack on 12-round CLEFIA is pointed out and corrected.

Ya Liu,Yifan Shi,Dawu Gu,Bo Dai,Fengyu Zhao,Wei Li,Zhiqiang Liu,Zhiqiang Zeng

DOI: https://doi.org/10.1007/s11432-017-9365-4

2019-01-01

Science China Information Sciences

Abstract:Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2244.4 chosen plaintexts, 2240.1 encryptions, and 2181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2214.4 chosen plaintexts, 2241.3 encryptions, and 2183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2214.4 chosen plaintexts, 2113.4 encryptions, and 287.4 blocks, respectively, or 2206.6 chosen plaintexts, 2153.6 encryptions, and 2111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-319-27659-5_11

2015-01-01

Abstract:ARIA is a 128-bit SPN block cipher selected as a Korean standard. This paper processes meet-in-the-middle attacks on reduced-round ARIA. Some 4-round and 5-round significant distinguishing properties which involve much fewer bytes parameters are proposed. Based on these better distinguishers, attacks on 7-round ARIA-192/256 and 8-round ARIA-256 are mounted with much lower complexities than previous meet-in-the-middle attacks. Furthermore, we present 7-round attack on ARIA-128 and 9-round attack on ARIA-256, which are both the first results for ARIA in terms of the meet-in-the-middle attack.

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Keting Jia,Ning Wang

DOI: https://doi.org/10.1007/978-3-319-40367-0_23

2016-01-01

Abstract:As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

Liu Ya,Dawu Gu,Zhiqiang Liu,Wei Li,Weihao Kong

DOI: https://doi.org/10.1007/978-94-007-2792-2_43

2011-01-01

Abstract:In this paper, we propose a novel impossible differential attack on 7-round AES-128. Firstly, we construct some new 2-round impossible differentials of AES, which allow us to distinguish the wrong keys from the correct key more efficiently. Based on them, we present an impossible differential attack on 7-round AES-128. The data complexity is about $$ 2^{80} $$ chosen plaintexts. Compared to the best known result, the data complexity of our attack is reduced by nearly $$ 2^{ - 26.2} $$ times.

Wei Wang,Xiaoyun Wang

2007-01-01

Abstract:This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11-round CLEFIA-192/256, which also firstly works for CLEFIA-128. The complexity is about 2 encryptions and 2 chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12-round CLEFIA for all three key lengths with 2 encryptions and 2 chosen plaintexts. For CLEFIA-192/256, our attack is applicable to 13-round variant, of which the time complexity is about 2, and the data complexity is 2. We also extend our attack to 14-round CLEFIA-256, with about 2 encryptions and 2 chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation.

Li Shenhua,Zhang Haina,Wang Xiaoyun

DOI: https://doi.org/10.1016/s1007-0214(09)70032-x

2009-01-01

Abstract:ARIA is a new block cipher designed as the block cipher standard of South Korea.The current version is 1.0,which is an improvement of version 0.8 with the security using four kinds of S-boxes instead of two and an additional two rounds of encryptions.These improvements are designed to prevent the dedicated linear attack on ARIA version 0.8 by the four different kinds of S-boxes.This paper presents 12 linear approximations of a single round function that succeeds in attacking ARIA version 1.0 on 7,9,or 9 rounds for key sizes of 128,192,or 256 bits using any of these approximations.The corresponding data complexities are 2 87 ,2 119 ,and 2 119 ,the counting complexities are 1.5×2 88 ,2 119 ,and 2 119 ,the memory required for each attack on all three key versions is 2 64 bits and there are 12 weak key classes.These results are similar to the dedicated linear attack on ARIA version 0.8 and show that the improved version can also not effectively resist this type of attack.

Chao Niu,Muzhou Li,Meiqin Wang,Qingju Wang,Siu-Ming Yiu

DOI: https://doi.org/10.1007/978-3-030-99277-4_11

2022-01-01

Abstract:We consider the related-tweak impossible differential cryptanalysis of TweAES. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme ESTATE which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of TweAES, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against TweAES based on one of these 5.5-round distinguishers. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against TweAES, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of TweAES in the design document. Our 8round key recovery attack is the best one against TweAES in terms of the number of rounds and complexities so far.

Zhiqiang Liu,Dawu Gu,Ya Liu,Juanru Li,Wei Li

DOI: https://doi.org/10.1007/978-3-642-25243-3_20

2011-01-01

Abstract:In this paper, we firstly present an approach to derive a kind of special linear characteristics for byte-oriented SPN block ciphers. Then based on this approach, we study the security of the block cipher ARIA against linear cryptanalysis and propose an attack on 7-round ARIA with 128/192/256-bit key size, an attack on 9-round ARIA with 192/256-bit key size as well as an attack on 11-round ARIA with 256-bit key size. The designers of ARIA expect that there isn't any effective attack on 8 or more rounds of ARIA with 128/192/256-bit key size by means of linear cryptanalysis. However, our work shows that such attacks do exist. Moreover, our cryptanalytic results are the best known cryptanalytic results of ARIA so far.

Kai Zhang,Senpeng Wang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Tairong Shi

DOI: https://doi.org/10.1109/tit.2023.3292241

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, a security evaluation framework for AND-RX ciphers against impossible differential cryptanalysis is proposed. This framework is constructed based on three different methods towards finding the theoretical upper boundary, theoretical lower boundary, and practical boundary of impossible differential distinguishers (short for ID) respectively. The provable security boundary (upper boundary) can be calculated with two round-function-related matrices through a few matrix multiplications, this calculation is beyond actual input and output differences. For searching longer IDs (lower boundary), an automatic method is proposed. With this method, given the input and output difference, all the possible direct and indirect contradictions are detected. For the practical boundary, a method of approximating all the potential longest IDs with concrete differential trails is introduced. The three boundaries validate the correctness from each other. According to our result, on the one hand, the boundaries derived with well-designed ID-construction methods can already reach the practical boundary for some block ciphers and it is unlikely to be improved based on known construction methods or future unknown construction methods. On the other hand, for those ciphers whose current best result does not reach our boundary, longer IDs can be discovered with this framework. The correctness is validated by a series of applications. For the provable security boundary, four family ciphers-SIMON, Simeck, Friet-PC and SAND are investigated. For SIMON and Simeck, the lengths of current longest IDs have reached their provable security boundaries. For Friet-PC and SAND, there is a gap between the provable security boundary and current best results. With the automatic searching method, some longer IDs on Friet-PC and SAND are discovered. For Friet-PC, 128 11-round IDs are discovered, while the previous best differential distinguisher is 9-round. For SAND64, 256 11-round IDs are proposed. For SAND128, 456 14-round IDs are presented. Both results extend previous longest IDs by one round and all these newly proposed distinguishers reached corresponding provable security boundaries. For Simeck, the length of longest IDs has not been improved. However, more distinguishers of the same length are discovered. For Simeck64, the increased ratio for the quantity can reach 300%. Besides, the practical boundary of SIMON is investigated, the results indicate that for SIMON, the practical boundary is identical with the provable security boundary or the boundary derived with the automatic searching method.

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.