Le Dong,Danxun Zhang,Wenya Li,Wenling Wu

DOI: https://doi.org/10.1007/s10623-024-01408-8

IF: 1.4

2024-05-08

Designs Codes and Cryptography

Abstract:In this study, we present the first yoyo attack to recover the secret round function of the 4-round Lai-Massey scheme with an affine orthomorphism. We first perform a yoyo attack on 3-round Lai-Massey scheme. However, the original method for constructing plaintext equations is not sufficiently effective. To solve this problem, we partition the ciphertext and plaintext spaces into subsets, which provides a fresh perspective on our yoyo attack. From this perspective, our study presents two improvements. One is that we devise an improved yoyo game in which the established ciphertext pool significantly narrows the search of good pairs compared with random selection, and the inserted filter can eliminate all wrong pairs using simple XOR calculations. Consequently, the yoyo game is advantageous for reducing the complexity of seeking good pairs, and we can avoid the complexity involved in solving equations generated using wrong pairs. The other is that we present a valid method for solving equations, which helps to reduce the number of yoyos required to recover the first-round function. After removing the first round, the look-up tables of the remaining two round functions of the 3-round Lai-Massey scheme can be retrieved by selecting the inputs and accessing the outputs. On the basis of this attack, we mount a yoyo attack on the 4-round Lai-Massey scheme to recover the fourth-round function and then apply the above attack to the remaining three rounds. In general, the complete recovery of the 4-round Lai-Massey scheme requires time complexity O and memory O , where .

mathematics, applied,computer science, theory & methods

Yiyuan Luo,Xuejia Lai,Zheng Gong,Zhongming Wu

2009-01-01

Abstract:At Asiacrypt’99, Vaudenay modified the structure in the IDEA cipher to a new scheme, which they called as the Lai-Massey scheme. It is proved that 3-round Lai-Massey scheme is sufficient for pseudorandomness and 4-round Lai-Massey scheme is sufficient for strong pseudorandomness. But the author didn’t point out whether three rounds and four rounds are necessary for the pseudorandomness and strong pseudorandomness of the Lai-Massey Scheme. In this paper we find a tworound pseudorandomness distinguisher and a three-round strong pseudorandomness distinguisher, thus prove that three rounds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness.

Yiyuan Luo,Xuejia Lai,Zheng Gong

DOI: https://doi.org/10.1016/j.ipl.2010.10.012

IF: 0.851

2010-01-01

Information Processing Letters

Abstract:In this paper we find that the two-round (extended) Lai–Massey scheme is not pseudorandom and three-round (extended) Lai–Massey scheme is not strong pseudorandom. Combined with previous work, we prove that three rounds are necessary and sufficient for the pseudorandomness and four rounds are necessary and sufficient for the strong pseudorandomness.

Yiyuan Luo,Xuejia Lai,Jing Hu

2015-01-01

Journal of information science and engineering

Abstract:In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any epsilon > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q similar to N1-epsilon combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.

Zou, Jian

DOI: https://doi.org/10.1007/s11128-024-04349-2

IF: 1.965

2024-04-03

Quantum Information Processing

Abstract:In this paper, we present some new key-recovery attacks on Misty L-KF, Misty R-KF, and generalized Feistel schemes. Firstly, we propose a new 5-round distinguisher on Misty L-KF structure. Based on our new distinguisher attack, we propose a new 6-round Demiric–Selçuk meet-in-the-middle attack (DS-MITM attack) against Misty L-KF structure. Secondly, we extend our classical DS-MITM attack to a new quantum DS-MITM attack on Misty L-KF structure by using the quantum claw finding algorithm. In addition, we apply the above method to attack Misty R-KF and generalized Feistel schemes. To sum up, we construct our classical key-recovery attacks on the 6-round Misty L-KF structure and Misty R-KF structure with time and memory cost. By using a quantum computer, our new quantum key-recovery attacks on the 6-round Misty L-KF structures and Misty R-KF structures can be constructed with time and memory cost. Furthermore, we can construct our new quantum -round key-recovery attacks on the d -branch contracting Feistels with time and memory cost. In the end, we can construct our new quantum -round and -round key-recovery attacks on the two types of d -branch expanding Feistels with time and memory cost.

physics, multidisciplinary,quantum science & technology, mathematical

Chun Guo,Ling Song

DOI: https://doi.org/10.1007/s10623-024-01394-x

IF: 1.4

2024-03-25

Designs Codes and Cryptography

Abstract:Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions , , we prove CCA security at rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case , which is the same as the balanced Feistel.

mathematics, applied,computer science, theory & methods

Kaiyi Zhang,Qingju Wang,Yu,Chun Guo,Hongrui Cui

DOI: https://doi.org/10.1007/978-981-99-8727-6_10

2023-01-01

Abstract:Picnic is a NIST PQC Round 3 Alternate signature candidate that builds upon symmetric primitives following the MPC-in-the-head paradigm. Recently, researchers have been exploring more secure/efficient signature schemes from conservative one-way functions based on AES, or new low-complexity one-way functions like RAIN (CCS 2022) and AIM (CCS 2023 and Round 1 Additional Signatures announced by NIST PQC). The signature schemes based on RAIN and AIM are currently the most efficient among MPC-in-the-head-based schemes, making them promising post-quantum digital signature candidates. However, the exact hardness of these new one-way functions deserves further study and scrutiny. This work presents algebraic attacks on RAIN and AIM for certain instances, where one-round RAIN can be compromised in 2(n/2) for security parameter n is an element of {128, 192, 256}, and two-round RAIN can be broken in 2(120.3), 2(180.4), and 2(243.1) encryptions, respectively. Additionally, we demonstrate an attack on AIM-III (which aims at 192-bit security) with a complexity of 2(186.5) encryptions. These attacks exploit the algebraic structure of the power function over fields with characteristic 2, which provides potential insights into the algebraic structures of some symmetric primitives and thus might be of independent interest.

Qingliang Hou,Xiaoyang Dong,Lingyue Qin,Guoyan Zhang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-981-99-8727-6_13

2023-01-01

Abstract:Feistel network and its generalizations (GFN) are another important building blocks for constructing hash functions, e.g., Simpira v2, Areion, and the ISO standard Lesamnta-LW. The Meet-in-the-Middle (MitM) is a general paradigm to build preimage and collision attacks on hash functions, which has been automated in several papers. However, those automatic tools mostly focus on the hash function with Substitution-Permutation network (SPN) as building blocks, and only one for Feistel network by Schrottenloher and Stevens (at CRYPTO 2022). In this paper, we introduce a new automatic model for MitM attacks on Feistel networks by generalizing the traditional direct or indirect partial matching strategies and also Sasaki's multi-round matching strategy. Besides, we find the equivalent transformations of Feistel and GFN can significantly simplify the MILP model. Based on our automatic model, we improve the preimage attacks on Feistel-SP-MMO, Simpira-2/-4-DM, Areion-256/-512-DM by 1-2 rounds or significantly reduce the complexities. Furthermore, we fill in the gap left by Schrottenloher and Stevens at CRYPTO 2022 on the large branch (b > 4) Simpira-b's attack and propose the first 11-round attack on Simpira-6. Besides, we significantly improve the collision attack on the ISO standard hash Lesamnta-LW by increasing the attacked round number from previous 11 to ours 17 rounds.

An-Ping Li

DOI: https://doi.org/10.48550/arXiv.0710.2970

2007-10-16

Cryptography and Security

Abstract:In this paper, we present a generic attack for ciphers, which is in essence a collision attack on the secret keys of ciphers .

Guoqiang Bai,Rui Ma,Guang Xiao

IF: 1.019

2001-01-01

Chinese Journal of Electronics

Abstract:Guang Gong and Lein Harn proposed a new Diffie-Hellman public-key distribution scheme that is based on third-order linear feedback shift register sequences over GF(p) and its security is based on the difficulty of solving the discrete logarithm in GF(p(3)). However, a method for attacking the scheme is presented in this paper. Despite that the method could not break up it fully, it indicates that the security of the scheme is likely to be not being based on the difficulty of solving the discrete logarithm in GF(p(3)). With this method, we have also obtained the weak private keys of the scheme.

Wenling Wu,Wentao Zhang,Dongdai Lin

2006-01-01

Abstract:This paper studies the security against difierential/linear cryptanalysis and the pseudorandomness for a class of generalized Feis- tel scheme with SP round function called GFSP. We consider the mini- mum number of active s-boxes in some consecutive rounds of GFSP,i.e., in four, eight and sixteen consecutive rounds, which provide the up- per bound of the maximum difierential/linear probabilities of 16-round GFSP scheme, in order to evaluate the strength against difierential/linear cryptanalysis. Furthermore, We investigate the pseudorandomness of GFSP, point out 7-round GFSP is not pseudorandom for non-adaptive adversary, by using some distinguishers, and prove that 8-round GFSP is pseudorandom for any adversaries.

Guang Yang,Ping Zhang,Jiachen Ding,Honggang Hu

DOI: https://doi.org/10.1109/dsc.2018.00098

2018-01-01

Abstract:Block ciphers have been widely used to protect data security. Most block ciphers (such as AES) have an iterated structure which alternately XOR's a secret key and use some publicly known permutation. In 1991, the simplest example of such a block cipher, called the Even-Mansour (EM) scheme, was defined and analyzed by Even and Mansour. One of the main tools used in previous attacks was the slide attack. In this paper, we firstly show some special instances of the original slide attacks whose success rate is 0. We use this result to illustrate that an assumption of these attacks is not reasonable. Moreover, we present the advanced slide attacks whose success rate is always a non-negligible constant on the Even-Mansour scheme. Finally, we apply this advanced technique to attack the additional Even-Mansour scheme.

Xiaorui Sun,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-642-05445-7_17

2009-01-01

Abstract:We present several integral attacks on MISTY1 using the FO Relation. The FO Relation is a more precise form of the Sakurai-Zheng Property such that the functions in the FO Relation depend on 16-bit inputs instead of 32-bit inputs used in previous attacks, and that the functions do not change for different keys while previous works used different functions.We use the FO Relation to improve the 5-round integral attack. The data complexity of our attack, 234 chosen plaintexts, is the same as previous attack, but the running time is reduced from 248 encryptions to 229.58 encryptions. The attack is then extended by one more round with data complexity of 234 chosen plaintexts and time complexity of 2107.26 encryptions. By exploring the key schedule weakness of the cipher, we also present a chosen ciphertext attack on 6-round MISTY1 with all the FL layers with data complexity of 232 chosen ciphertexts and time complexity of 2126.09 encryptions. Compared with other attacks on 6-round MISTY1 with all the FL layers, our attack has the least data complexity.

Maria Eichlseder,Lorenzo Grassi,Reinhard Lüftenegger,Morten Øygarden,Christian Rechberger,Markus Schofnegger,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_16

2020-01-01

Abstract:Algebraically simple PRFs, ciphers, or cryptographic hash functions are becoming increasingly popular, for example due to their attractive properties for MPC and new proof systems (SNARKs, STARKs, among many others). In this paper, we focus on the algebraically simple construction MiMC, which became an attractive cryptanalytic target due to its simplicity, but also due to its use as a baseline in a competition for more recent algorithms exploring this design space. For the first time, we are able to describe key-recovery attacks on all full-round versions of MiMC over $${\mathbb {F}}_{2^n}$$ , requiring half the code book. In the chosen-ciphertext scenario, recovering the key from this data for the n-bit full version of MiMC takes the equivalent of less than $$2^{n-\log _2(n) +1}$$ calls to MiMC and negligible amounts of memory. The attack procedure is a generalization of higher-order differential cryptanalysis, and it is based on two main ingredients. First, we present a higher-order distinguisher which exploits the fact that the algebraic degree of MiMC grows significantly slower than originally believed. Secondly, we describe an approach to turn this distinguisher into a key-recovery attack without guessing the full subkey. Finally, we show that approximately $$\lceil \log _3(2\cdot R)\rceil $$ more rounds (where $$R = \lceil n \cdot \log _3(2)\rceil $$ is the current number of rounds of MiMC-n/n) can be necessary and sufficient to restore the security against the key-recovery attack presented here. The attack has been practically verified on toy versions of MiMC. Note that our attack does not affect the security of MiMC over prime fields.

BAI Guo-qiang,CAI Mian,XIAO Guo-zhen

DOI: https://doi.org/10.3969/j.issn.1001-2400.2000.06.015

2000-01-01

Abstract:Very recently, Guang Gong and Lein harn have proposed a new Diffie Hellman public key exchange scheme based on the 3 rd order linear feedback shift register sequences over GF(q). A method for attacking the scheme is investigated in this paper. For some special private keys, with the method we can easily obtain them from their public keys and the system open parameters.

Zhihui Chu,Huaifeng Chen,Xiaoyun Wang,Lu Li,Xiaoyang Dong,Yaoling Ding,Yonglin Hao

DOI: https://doi.org/10.1049/iet-ifs.2017.0388

2018-01-01

IET Information Security

Abstract:The integral attack, exploits the balanced property of the output in the distinguisher. Usually, adversaries append some rounds after the distinguisher, guess the corresponding key bits and check whether the target bits are balanced. Few works add rounds before the distinguisher to make the key recovery attack. In the first full-round attack on MISTY1, Todo adds one FL layer (key-dependent linear function) before the distinguisher. In this study, the authors extend his method and give a general method, which they can use to extend some rounds (non-linear) before the distinguisher to attack more rounds with data complexity smaller than the whole space and little extra time consumption. The basic idea is that for different subkeys guessed in the forward rounds, they set different constant values for the input of the distinguisher. Finally, the selected data space is not full. For substitution permutation network (SPN) (Feistel with SPN round function) structures with 4bit S-box and bit permutation, they estimate the data complexity when adding one round before the distinguishers for all 4bit S-boxes. Using the method, they improve the integral attacks on PRESENT, RECTANGLE, TWINE and LBlock, and their results could cover one more round.

Fagen Li,Yupu Hu

2008-01-01

Fundamenta Informaticae

Abstract:In 2006, Pomykala and Barabasz [Fundamenta Informaticae 69 (2006) 411-425] proposed an elliptic curve based threshold proxy signature scheme which requires shorter cryptographic keys. They claimed that their scheme satisfies the secrecy, the proxy protected, the unforgeability, the non-repudiation, and the known signers. However, in this paper, we show that their scheme cannot achieve the proxy protected, the unforgeability and the non-repudiation by demonstrating a conspiracy attack. In this attack, any t malicious proxy signers can collusively impersonate some other proxy signers to generate proxy signatures.

Sitao Wang,Yao Zhang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.2991/jimet-15.2015.71

2015-01-01

Abstract:Block ciphers serve as the core of the modern cryptography, with a continuing study of cryptanalysis never stopped. Recently, a specific cryptographic structure, namely Even-Mansour scheme, has been widely revisited and discussed due to its well relevance to most block ciphers. In this paper, we have proposed MB+, a novel and effective solution to key-recovery issue especially for 4 round Even-Mansour schemes. Our method is inspired by a multibridge attack that uses two round keys alternately. Specifically, based on a thorough analysis on the properties of the fixed points, we have observed the existence of invalid keys that can not be disclosed by the multibridge attack. Targeting at the reduction of invalid-key set, we obtain the MB+ method by introducing XOR-parameters in a flexible fashion. With the theoretical analysis and extensive experiments against popular block ciphers, we confirm the effectiveness of our approach systematically.

LU Xianhui,LAI Xuejia,HE Dake,LI Guomin

DOI: https://doi.org/10.3321/j.issn:1671-8836.2008.05.009

2008-01-01

Abstract:To check if a public key encryption scheme is secure against adaptive chosen ciphertext attacks,a security analysis method is proposed.According to the adversary's goal and information resource,adaptive chosen ciphertext attacks are classified into four categories and then the possibility of each category of attacks is analyzed.The proposed security analysis method distinguishes itself from the early security analysis in that it deals with the possibility of each of the attack categories rather than the search of a specific attack method.It is simpler and more intuitive than security proof.How to check the security of a scheme,which is adaptive chosen ciphertext secure in the random oracle model,in the real world is an open problem of the provable security research field.The proposed method provides a good solution to this problem.

Ruoyu Ding,Chi Cheng,Yue Qin,Yue Qin Qin

DOI: https://doi.org/10.1109/jsyst.2022.3161264

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:To improve the security of mobile networks in the postquantum era, Dabra et al. recently proposed a lattice-based anonymous password-authenticated key exchange (LBA-PAKE) protocol for mobile devices. Especially, LBA-PAKE is claimed to support the key reuse. However, we find that LBA-PAKE is still vulnerable to the signal leakage attack when the master key is reused. We propose two strategies to reduce the needed number of queries in our attack. Compared to the method of Bindel et al., our method reduces the required queries by more than 75%. Our experiments show that breaking LBA-PAKE needs less than 2 min. Through analysis of why LBA-PAKE fails in their security proof, we further propose an improved protocol without incurring extra computation costs. The formal security analysis shows that our improved scheme supports all features of LBA-PAKE while thwarting the signal leakage attack. Moreover, the implementation of our improved protocol demonstrates its efficiency in mobile networks.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science