Huaifeng Chen,Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-030-41579-2_26

2019-01-01

Abstract:GIFT is a new lightweight PRESENT-like block cipher, proposed by Banik et al. at CHES 2017. There are two versions, i.e., GIFT-64 and GIFT-128, with block size 64 and 128 respectively. Both versions have a 128-bit key. The Sbox and the linear layer of GIFT are chosen carefully to avoid single difference bit or linear mask bit path in 2 consecutive rounds. This improves the security of GIFT against differential, linear and linear hull attacks. In this paper, we implement a new automatic search algorithm of differential characteristics on GIFT-64. Considering the situations that some characteristics have the same input and output difference, we find a few of improved differentials with longer rounds or higher probabilities. Among them, the best probability for 12-round differential is 2(-56.5737), while that for 13-round differential is 2(-61.)(3135). In addition, we find 52 13-round differentials with the same output differences. Based on them, we mount a multiple differential attack on 20-round GIFT-64 with 2(62) chosen plaintexts, which attacks one more round than the best previous result. Also, we can attack 21-round GIFT-64 with the full codebook, using one differential with probability 2(-)(62)(.)(0634). This is the longest attack as far as we know.

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Lele Chen,Gaoli Wang,GuoYan Zhang

DOI: https://doi.org/10.1093/comjnl/bxz076

2019-10-15

The Computer Journal

Abstract:Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.

Qingyuan Yu,Lingyue Qin,Xiaoyang Dong,Keting Jia

DOI: https://doi.org/10.1093/comjnl/bxad071

2024-01-01

Abstract:GIFT is a lightweight cipher proposed by Banik et al. at CHES'17, motivated by the design strategy of PRESENT. GIFT-64[2021] is a variant of GIFT proposed by Sun et al. at EUROCRYPT'22 to achieve better resistance against differential attack while maintaining a similar security level against linear attack. At EUROCRYPT'22, Dong et al. proposed a new rectangle framework considering the key guessing strategies for linear key-schedule ciphers, and established a uniform automatic search model for the whole rectangle attack. In this paper, we extend it to be applicable to bit-oriented ciphers, and construct an automatic search model involved in the distinguisher and key-recovery phase for GIFT. Moreover, we utilize the key relations of the linear key-schedule to the model, and find some new distinguishers both for GIFT-64 and GIFT-64[2021]. To evaluate the probability more accurately, we propose a method to calculate the probability of the 2-round middle part which connects the boomerang distinguisher for GIFT, and apply it with the SAT method to evaluate the probability of the whole distinguishers. As a result, we search out a new 20-round related-key boomerang distinguisher for GIFT-64, and achieve a 26-round attack with better time complexity than the best previous attack. For GIFT-64[2021], we find a 20-round boomerang distinguisher and give the first 26-round rectangle attack under related-key scenario.

Manoj Kumar,Tarun Yadav

DOI: https://doi.org/10.1007/978-3-030-95085-9_3

2022-01-01

Abstract:WARP is a 128-bit lightweight block cipher presented by S. Banik et al. at SAC 2020. It is based on 32-nibble type-2 Generalised Feistel Network (GFN) structure and uses a permutation over nibbles to optimize the security and efficiency. The designers provided a lower bound on the number of active S-boxes but they did not provide the differential characteristics against these bounds. In this paper, we model the MILP problem for WARP and present the 18-round and 19-round differential characteristics with the probability of 2-122$$2^{-122}$$ and 2-132$$2^{-132}$$ respectively. We also present a key recovery attack on 21 rounds with the data complexity of 2113$$2^{113}$$ chosen plaintexts. To the best of our knowledge, this is the first key recovery attack against 21-round WARP using differential cryptanalysis.

Yanjun Li,Hao Lin,Xinjie Bi,Shanshan Huo,Yiyi Han

DOI: https://doi.org/10.1016/j.jisa.2023.103696

IF: 4.96

2024-01-19

Journal of Information Security and Applications

Abstract:Shadow (Guo et al., 2021) is a lightweight block cipher based on a new logical combination method of AND-RX operation and the generalized Feistel structure with high diffusion and excellent performance in hardware implementation. In this paper, the components and structure of Shadow cipher are researched, and based on MILP automatic search algorithms for differential trails the 2-round iterative differential characteristics are obtained, then the full-round differential characteristics of both Shadow-32 and Shadow-64 are given. Moreover, targeting Shadow-32, we conduct 32-bit round-key recovery attack by using four 13.5-round differential trails, and the experimental verification shows that the time complexity is 226.02 and space complexity is 214.1 . Recovering the 64 master key bits need to solve a system of multivariate equations over F2 with the time complexity more than 250.69 . For Shadow-64, the process of recovering the master key is similar. Finally, we analyze the reasons for the insecurity of the Shadow cipher that may help to improve the cryptographic performance of the Shadow or provide help for a new block cipher design.

computer science, information systems

Runlian Zhang,Mi Zhang,Jiaxu Yan,Yixing Li,Xiaonian Wu,Lingchen Li

DOI: https://doi.org/10.1109/dsc53577.2021.00084

2021-10-01

Abstract:It is a new trend of cryptographic analysis to realize automatic analysis on cryptographic algorithms by means of deep learning in recent years. TweGIFT-128 algorithm is an instantiation tweak block cipher algorithm for encryption authentication scheme ESTATE, and it was selected as a candidate cipher algorithm in the second round NIST challenge. Aiming at the security of TweGIFT-128 algorithm, the neural network model was used to realize automatic differential analysis in this paper, and the problem of searching differential distinguishers was transformed into a classification problem. Then based on DNN, the neural network differential distinguishers on TweGIFT-128 algorithm were constructed, and the 4–8 round neural network differential distinguishers were trained by using fixed difference. Experimental results show that the obtained 4–7 round TweGIFT-128 differential distinguishers can distinguish ciphertext from random data well, and the method constructing distinguisher based on neural network model is simpler and more general than the traditional methods.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Leibo Li,Keting Jia,Xiaoyun Wang,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-662-48116-5_3

2015-01-01

Abstract:As one of the generalizations of differential cryptanalysis, the truncated differential cryptanalysis has become a powerful toolkit to evaluate the security of block ciphers. In this article, taking advantage of the meet-in-the-middle like technique, we introduce a new method to construct truncated differential characteristics of block ciphers. Based on the method, we propose 10-round and 8-round truncated differential characteristics for CLEFIA and Camellia, respectively, which are ISO standard block ciphers. Applying the 10-round truncated differential characteristic for CLEFIA, we launch attacks on 14/14/15-round CLEFIA-128/192/256 with 2(108), 2(135) and 2(203) encryptions, respectively. For Camellia, we utilize the 8-round truncated differential to attack 11/12-round Camellia-128/192 including the FL/FL-1 and whiten layers with 2(121.3) and 2(185.3) encryptions. As far as we know, most of the cases are the best results of these attacks on both ciphers.

Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1109/access.2019.2946638

IF: 3.9

2019-01-01

IEEE Access

Abstract:In this paper, we study the relation of related-tweak/key impossible differentials with single-key ones. Following a heuristic strategy, we can derive longer related-tweak/key impossible differentials from single-key ones. We implement this strategy with the MILP technique and apply it to search related-tweak/key impossible differentials of two tweakable block ciphers: QARMA-64 and Joltik-BC-128. For QARMA-64, we find several 7-round related-tweak impossible differential distinguishers and use them to mount a 10-round key recovery attack including the outer whitening key; for Joltik-BC-128, we find two 6-round related-tweakey impossible differential distinguishers and use them attack 9-round and 10-round Joltik-BC-128 respectively.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Kexin Qiao,Lei Hu,Siwei Sun,Xiaoshuang Ma,Haibin Kan

DOI: https://doi.org/10.1587/transfun.e98.a.72

2015-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Counting the number of differentially active S-boxes is of great importance in evaluating the security of a block cipher against differential attack. Mouha et al. proposed a technique based on Mixed-Integer Linear Programming (MILP) to automatically calculate a lower bound of the number of differentially active S-boxes for word-oriented block ciphers, and applied it to symmetric ciphers AES and Enocoro-128v2. Later Sun et al. extended the method by introducing bit-level representations for S-boxes and new constraints in the MILP problem, and applied the extended method to PRESENT-80 and LBlock. This kind of methods greatly depends on the constraints in the MILP problem describing the differential propagation of the block cipher. A more accurate description of the differential propagation leads to a tighter bound on the number of differentially active S-boxes. In this paper, we refine the constraints in the MILP problem describing XOR operations, and apply the refined MILP modeling to determine a lower bound of the number of active S-boxes for the Lai-Massey type block cipher FOX in the model of single-key differential attack, and obtain a tighter bound in FOX64 than existing results. Experimental results show that 6, instead of currently known 8, rounds of FOX64 is strong enough to resist against basic single-key differential attack since the differential characteristic probability is upper bounded by 2(-64), and thus the maximum differential characteristic probability of 12-round FOX64 is upper bounded by 2(-128), where 128 is the key-length of FOX64. We also get the lower bound of the number of differentially active S-boxes for 5-round FOX128, and proved the security of the full-round FOX128 with respect to single-key differential attack.

Anubhab Baksi,Jakub Breier,Yi Chen,Xiaoyang Dong

DOI: https://doi.org/10.23919/date51398.2021.9474092

2022-01-01

Abstract:At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an 'all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference. Usually, the all-in-one differential cryptanalysis is more effective compared to the one using only one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for non-Markov ciphers through machine learning. Our idea here is to reduce a distinguishing problem to a classification problem, so that it can be efficiently managed by machine learning. As a proof of concept, we show several distinguishers for four high profile ciphers, each of which works with trivial complexity. In particular, we show differential distinguishers for 8-round Gimli-Hash, Gimli-Cipher and Gimli-Permutation; 3-round Ascon-Permutation; 10-round Knot-256 permutation and 12-round Knot-512 permutation; and 4-round Chaskey-Permutation. Finally, we explore more on choosing an efficient machine learning model and observe that only a three layer neural network can be used. Our analysis shows the attacker is able to reduce the complexity of finding distinguishers by using machine learning techniques.

Yanyan Zhou,Senpeng Wang,Bin Hu

DOI: https://doi.org/10.1049/2024/8315115

2024-01-12

IET Information Security

Abstract:Differential-linear (DL) cryptanalysis is an important cryptanalytic method in cryptography and has received extensive attention from the cryptography community since its proposal by Langford and Hellman in 1994. At CT-RSA 2023, Bellini et al. introduced continuous difference propagations of XOR, rotation, and modulo-addition operations and proposed a fully automatic method using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques to search for DL distinguishers of Addition-Rotation-XOR (ARX) ciphers. In this paper, we propose continuous difference propagation of AND operation and construct an MILP/MIQCP-based fully automatic model of searching for DL distinguishers of SIMON-like ciphers. We apply the fully automatic model to all versions of SIMON and SIMECK. As a result, for SIMON, we find 13 and 14-round DL distinguishers of SIMON32, 15, 16, and 17-round DL distinguishers of SIMON48, 20-round DL distinguishers of SIMON64, 25 and 26-round DL distinguishers of SIMON96, 31 and 32-round DL distinguishers of SIMON128. For SIMECK, we find 14-round DL distinguishers of SIMECK32, 17 and 18-round DL distinguishers of SIMECK48, 22, 23, 24, and 25-round DL distinguishers of SIMECK64. As far as we know, our results are currently the best.

computer science, information systems, theory & methods

Ting Cui,Yi Zhang,Jiyan Zhang,Chenhui Jin,Shiwei Chen

DOI: https://doi.org/10.1109/jiot.2024.3358346

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:This paper considers a new cryptanalysis called differential invariant subspace cryptanalysis, which can be used to evaluate the security of IoT-friendly word-based block ciphers. This cryptanalysis estimates the behavior of differential propagation for particularly chosen input differences, and applies to the ciphers contain only the word-based components, e.g., word-based S-boxes, word-based linear mappings, etc. Firstly, this paper proves that, for any word-based block cipher, if the S-box causes the differential invariant subspace property, it then indicates a full-round distinguisher with probability 1, even if the target cipher is believed to be resistant enough against traditional differential or linear cryptanalysis. Secondly, a class of linear-equivalent S-boxes meeting the differential invariant subspace property are constructed as L∘S∘L-1, where L is any invertible linear mapping and S is a group of S-boxes in parallel. Finally, as application, we provide a full-round differential invariant subspace distinguisher for the variant Midori128 (the only difference is that the variant version utilizes only one single type S-box instead of four types). This distinguishing is experimentally verified and could be executed within negligible time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fan Zhang,Yiran Zhang,Xinjie Zhao,Shize Guo,Ziyuan Liang,Samiya Qureshi

DOI: https://doi.org/10.1109/PADSW.2018.8645010

2018-01-01

Abstract:The block cipher LED is well suited for resource-constrained scenarios. However, it is vulnerable to the recent fault attacks and different results have been achieved even under the same fault model. In this paper, a comprehensive investigation is conducted on the fault analysis on LED. A novel differential fault analysis is proposed, which is based on the so-called constraint equations. The proposed attack can combine constraint equations at different levels, pushing the differential fault analysis on LED towards its limit in terms of the time complexity, the data complexity and the remained key search space. Under random nibble fault model, SINGLE fault injection can reduce the key search space of LED-64 to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">7.90</sup> within 1.89s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">17.65</sup> within 7 minutes in prior finest contributions. As to DFA on LED-128, TWO fault injections can reduce the key search space to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15.82</sup> within 247.88s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">21.96</sup> within 16 minutes in previous work. To the best of our knowledge, the scheme that we proposed is the most efficient fault attack on LED cryptosystems.

Aayush Jain,Varun Kohli,Girish Mishra

DOI: https://doi.org/10.48550/arXiv.2112.05061

2021-12-09

Cryptography and Security

Abstract:Recent years have seen an increasing involvement of Deep Learning in the cryptanalysis of various ciphers. The present study is inspired by past works on differential distinguishers, to develop a Deep Neural Network-based differential distinguisher for round reduced lightweight block ciphers PRESENT and Simeck. We make improvements in the state-of-the-art approach and extend its use to the two structurally different block ciphers, PRESENT-80 and Simeck64/128. The obtained results suggest the universality of our cryptanalysis method. The proposed method can distinguish random data from the cipher data obtained until 6 rounds of PRESENT and 7 rounds of Simeck encryption with high accuracy. In addition to this, we explore a new approach to select good input differentials, which to the best of our knowledge has not been explored in the past. We also provide a minimum-security requirement for the discussed ciphers against our differential attack.

Qingyuan Yu,Xiaoyang Dong,Lingyue Qin,Yongze Kang,Keting Jia,Xiaoyun Wang,Guoyan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i4.1-31

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.