Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Wei Li,Wenwen Zhang,Dawu Gu,Zhi Tao,Zhihong Zhou,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.3837/tiis.2015.02.018

2015-01-01

KSII Transactions on Internet and Information Systems

Abstract:The TWINE is a new Generalized Feistel Structure (GFS) lightweight cryptosystem in the Internet of Things. It has 36 rounds and the key lengths support 80 bits and 128 bits, which are flexible to provide security for the RFID, smart cards and other highly-constrained devices. Due to the strong attacking ability, fast speed, simple implementation and other characteristics, the differential fault analysis has become an important method to evaluate the security of lightweight cryptosystems. On the basis of the 4-bit fault model and the differential analysis, we propose an effective differential fault attack on the TWINE cryptosystem. Mathematical analysis and simulating experiments show that the attack could recover its 80-bit and 128-bit secret keys by introducing 8 faulty ciphertexts and 18 faulty ciphertexts on average, respectively. The result in this study describes that the TWINE is vulnerable to differential fault analysis. It will be beneficial to the analysis of the same type of other iterated lightweight cryptosystems in the Internet of Things.

Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-319-27659-5_11

2015-01-01

Abstract:ARIA is a 128-bit SPN block cipher selected as a Korean standard. This paper processes meet-in-the-middle attacks on reduced-round ARIA. Some 4-round and 5-round significant distinguishing properties which involve much fewer bytes parameters are proposed. Based on these better distinguishers, attacks on 7-round ARIA-192/256 and 8-round ARIA-256 are mounted with much lower complexities than previous meet-in-the-middle attacks. Furthermore, we present 7-round attack on ARIA-128 and 9-round attack on ARIA-256, which are both the first results for ARIA in terms of the meet-in-the-middle attack.

Yu Sasaki,Lei Wang,Yasuhide Sakai,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-31410-0_9

2012-01-01

Abstract:This paper presents an improved single-key attack on a block-cipher XTEA by using the three-subset meet-in-the-middle (MitM) attack. Firstly, a technique on a generic block-cipher is discussed. It points out that the previous work applying the splice-and-cut technique to the three-subset MitM attack contains incomplete arguments, and thus it requires a very large data complexity, which is close to the code book. This paper gives a corrected procedure to keep the data complexity small. Secondly, the three-subset MitM attack is applied for reduced-round XTEA, which is a 64-bit block-cipher with 64-round Feistel network and a 128-bit key. 25 rounds are attacked with 9 known plaintexts and 2120.40 XTEA computations, while the previous best single-key attack only reaches 23 rounds. In the chosen-plaintext model, the attack is extended to 28 rounds with 237 chosen-plaintexts and 2120.38 computations.

Ya Liu,Bing Shi,Dawu Gu,Fengyu Zhao,Wei Li,Zhiqiang Liu

DOI: https://doi.org/10.1093/comjnl/bxaa028

2020-01-01

The Computer Journal

Abstract:In ASIACRYPT 2014, Jean et al. proposed the authentication encryption scheme Deoxys, which is one of the third-round candidates in CAESAR competition. Its internal block cipher is called Deoxys-BC that adopts the tweakey frame. Deoxys-BC has two versions of the tweakey size that are 256 bits and 384 bits, denoted by Deoxys-BC-256 and Deoxys-BC-384, respectively. In this paper, we revaluate the security of Deoxys-BC-256 against the meet-in-the-middle attack to obtain some new results. First, we append one round at the top and two rounds at the bottom of a 6-round distinguisher to form a 9-round truncated differential path with the probability of $2^{-144}$. Based on it, the adversary can attack 9-round Deoxys-BC-256 with $2^{108}$ chosen plaintext-tweaks, $2^{113.6}$ encryptions and $2^{102}$ blocks. Second, we construct a new 6.5-round distinguisher to form 10-round attacking path with the probability of $2^{-152}$. On the basis of it, the adversary could attack 10-round Deoxys-BC-256 with $2^{115}$ chosen plaintext-tweaks, $2^{171}$ encryptions and $2^{152}$ blocks. These two attacks improve the previous cryptanalytic results on reduced-round Deoxys-BC-256 against the meet-in-the-middle attack.

Ivica Nikolić,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/s12095-014-0118-1

2014-01-01

Cryptography and Communications

Abstract:We propose a new type of meet-in-the-middle attack that splits a cryptographic primitive in parallel to the execution flow of the operations. The result of the division are two primitives that have smaller input sizes and thus require lower attack complexities. The sub-primitives are not completely independent, but mutually depend on a certain number of bits. When the number of such bits is relatively small, we show a technique based on three classical meet-in-the-middle attacks that can recover the secret key of the cipher faster than an exhaustive search. We apply our findings to the lightweight block cipher Klein and show attacks on 10/11/13 rounds of Klein -64/-80/-96. We note that our approach works in the known -plaintext attack model and requires only one or two pairs of known plaintexts.

Ya Liu,Liang Cheng,Zhiqiang Liu,Wei Li,Qingju Wang,Dawu Gu

DOI: https://doi.org/10.1007/s11432-016-9157-y

2017-01-01

Science China Information Sciences

Abstract:Piccolo is a lightweight block cipher that adopts a generalized Feistel network structure with4 branches, each of which is 16 bit long. The key length is 80 or 128 bit, denoted by Piccolo-80 and Piccolo-128, respectively. In this paper, we mounted meet-in-the-middle attacks on 14-round Piccolo-80 without preand post-whitening keys and 18-round Piccolo-128 with post-whitening keys by exploiting the properties of the key schedule and Maximum Distance Separable(MDS) matrix. For Piccolo-80, we first constructed a 5-round distinguisher. Then 4 rounds and 5 rounds were appended at the beginning and at the end,respectively. Based on this structure, we mounted an attack on 14-round Piccolo-80 from the 5 th round to the 18 th round. The data, time, and memory complexities were 2 52 chosen plaintexts, 2 67.44 encryptions, and 2 64.91 blocks, respectively. For Piccolo-128, we built a 7-round distinguisher to attack 18-round Piccolo-128 from the 4 th round to the 21st round. The data, time, and memory complexities were 2 52 chosen plaintexts,2 126.63 encryptions, and 2 125.29 blocks, respectively. If not considering results on biclique cryptanalysis,these are currently the best public results on this reduced version of the Piccolo block cipher.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Ya Liu,Yifan Shi,Dawu Gu,Zhiqiang Zeng,Fengyu Zhao,Wei Li,Zhiqiang Liu,Yang Bao

DOI: https://doi.org/10.1093/comjnl/bxz059

2019-01-01

The Computer Journal

Abstract:Kiasu-BC and Joltik-BC are internal tweakable block ciphers of authenticated encryption algorithms Kiasu and Joltik submitted to the CAESAR competition. Kiasu-BC is a 128-bit block cipher, of which tweak and key sizes are 64 and 128 bits, respectively. Joltik-BC-128 is a 64-bit lightweight block cipher supporting 128 bits tweakey. Its designers recommended the key and tweak sizes are both 64 bits. In this paper, we propose improved meet-in-the-middle attacks on 8-round Kiasu-BC, 9-round and 10-round Joltik-BC-128 by exploiting properties of their structures and using precomputation tables and the differential enumeration. For Kiasu-BC, we build a 5-round distinguisher to attack 8-round Kiasu-BC with $2^{109}$ plaintext–tweaks, $2^{112.8}$ encrytions and $2^{92.91}$ blocks. Compared with previously best known cryptanalytic results on 8-round Kiasu-BC under chosen plaintext attacks, the data and time complexities are reduced by $2^{7}$ and $2^{3.2}$ times, respectively. For the recommended version of Joltik-BC-128, we construct a 6-round distinguisher to attack 9-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{56.6}$ encryptions and $2^{52.91}$ blocks, respectively. Compared with previously best known results, the data and time complexities are reduced by $2^7$ and $2^{5.1}$ times, respectively. In addition, we present a 6.5-round distinguisher to attack 10-round Joltik-BC-128 with $2^{53}$ plaintext–tweaks, $2^{101.4}$ encryptions and $2^{76.91}$ blocks.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1007/s10623-023-01226-4

IF: 1.4

2023-01-01

Designs Codes and Cryptography

Abstract:Computer aided cryptanalysis has been popular for recent several years, however, most of these automations are semi-automations which leave cryptographers to complete the remaining parts of the attack. This paper proposes an automatic framework towards optimal meet-in-the-middle attack with splice-and-cut technique(MITM-SCT). Compared with other automations on MITM attack, our framework is fully automatic which can take all the procedures of the attack into consideration. Firstly, with a newly introduced matrix-based method, a general framework is proposed to calculate the correlated states and illustrate the differential diffusion property in a MITM attack. Alongside, all the procedures of a typical MITM-SCT attack are reduced to three types of matrices. These matrices can be uniquely determined by the round function and the construction methods are presented. Secondly, based on the framework, a fully automatic searching method on MITM-SCT attack is proposed. Thirdly, an optimal searching strategy on MITM-SCT attack is proposed and the bound for the time complexity is illustrated. Based on our method, if the computing capability is large enough, we can search all the possible attack scenarios and the least upper bound for the target block cipher against MITM-SCT attack can be derived. That is to say, we cannot only find some better attack scenarios, but also try all the possible attack scenarios simultaneously to find the optimal ones for some cases. Finally, we apply our method to HIGHT, CHAM, WARP and derive some currently best-known MITM attacks on these ciphers. For HIGHT, we exhaustively search about 2.1 billion attack scenarios and derive 76.8 thousand 23-round MITM attacks on HIGHT, which is 4 rounds more than the current best MITM attack. For the CHAM family ciphers, some MITM attacks are proposed on 30-round, 19-round, 30-round CHAM-64/128, CHAM-128/128 and CHAM-128/256 respectively. These results can exceed most of the attacks in the single key setting proposed by the designers. For WARP, a concrete 19-round MITM attack is proposed. Our automatic method is proposed on solving the problem of MITM attacks on ARX ciphers, however, the successful attack on WARP indicates that our method can also be applied to Sbox-based block ciphers.

LI Wei,WANG Menglin,GU Dawu,LI Jiayao,CAI Tianpei,XU Guangwei

DOI: https://doi.org/10.11959/j.issn.1000-436x.2021039

2021-01-01

Abstract:The security analysis of TWINE against the ciphertext-only fault analysis was proposed.The secret key of TWINE could be recovered with a success probability at least 99% using a series of distinguishers of SEI、MLE、HW、GF、GF-SEI、GF-MLE、Parzen-HW、MLE-HE、HW-HE and HW-MLE-HE.Among them, the novel proposed distinguishers of MLE-HE、HW-HE and HW-MLE-HE can effectively reduce the faults and improve the attack efficiency in simulating experiments.It provides a significant reference for analyzing the security of lightweight ciphers in the Internet of Things.

Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Shion UTSUMI,Kosei SAKAMOTO,Takanori ISOBE

DOI: https://doi.org/10.1587/transfun.2023eap1149

2024-01-01

Abstract:Lightweight block ciphers have gained attention in recent years due to the increasing demand for sensor nodes, RFID tags, and various applications. In such a situation, lightweight block ciphers Piccolo and TWINE have been proposed. Both Piccolo and TWINE are designed based on the Generalized Feistel Structure. However, it is crucial to address the potential vulnerability of these structures to the impossible differential attack. Therefore, detailed security evaluations against this attack are essential. This paper focuses on conducting bit-level evaluations of Piccolo and TWINE against related-key impossible differential attacks by leveraging SAT-aided approaches. We search for the longest distinguishers under the condition that the Hamming weight of the active bits of the input, which includes plaintext and master key differences, and output differences is set to 1, respectively. Additionally, for Tweakable TWINE, we search for the longest distinguishers under the related-tweak and related-tweak-key settings. The result for Piccolo with a 128-bit key, we identify the longest 16-round distinguishers for the first time. In addition, we also demonstrate the ability to extend these distinguishers to 17 rounds by taking into account the cancellation of the round key and plaintext difference. Regarding evaluations of TWINE with a 128-bit key, we search for the first time and reveal the distinguishers up to 19 rounds. For the search for Tweakable TWINE, we evaluate under the related-tweak-key setting for the first time and reveal the distinguishers up to 18 rounds for 80-bit key and 19 rounds for 128-bit key.

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Xiaoyang Dong,Jialiang Hua,Siwei Sun,Zheng Li,Xiaoyun Wang,Lei Hu

2021-01-01

Abstract:At EUROCRYPT 2021, Bao et al. proposed an automatic method for systematically exploring the configuration space of meetin-the-middle (MITM) preimage attacks. We further extend it into a constraint-based framework for finding exploitable MITM characteristics in the context of key-recovery and collision attacks by taking the subtle peculiarities of both scenarios into account. Moreover, to perform attacks based on MITM characteristics with nonlinear constrained neutral words, which have not been seen before, we present a procedure for deriving the solution spaces of neutral words without solving the corresponding nonlinear equations or increasing the overall time complexities of the attack. We apply our method to concrete symmetric-key primitives, including SKINNY, ForkSkinny, Romulus-H, Saturnin, Grøstl, WHIRLPOOL, and hashing modes with AES-256. As a result, we identify the first 23-round key-recovery attack on SKINNY-n-3n and the first 24-round key-recovery attack on ForkSkinny-n-3n in the single-key model with extremely low memories. Moreover, improved (pseudo) preimage or collision attacks on round-reduced WHIRLPOOL, Grøstl, and hashing modes with AES-256 are obtained. In particular, employing the new representation of the AES key schedule due to Leurent and Pernot (EUROCRYPT 2021), we identify the first preimage attack on 10-round AES-256.

Keting Jia,Leibo Li

DOI: https://doi.org/10.1007/978-3-642-35416-8_2

2012-01-01

Abstract:MISTY1 is a Feistel block cipher with a 64-bit block and a 128-bit key. It is one of the final NESSIE portfolio of block ciphers, and has been recommended for Japanese e-Government ciphers by the CRYPTREC project. In this paper, we improve the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity. Furthermore, combing with the FL function properties and the key schedule algorithm, we propose an impossible differential attack on 7-round MISTY1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions. It is the first attack on 7-round MISTY1 in the known plaintext model to the best of our knowledge. Besides, we show an improved impossible differential attack on 7-round MISTY1 without FL layers with 292.2 7-round encryptions and 255 chosen plaintexts, which has lower time complexity than previous attacks.

Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-12827-1_1

2010-01-01

Abstract:Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. Skein had been updated after it entered the second round; the only difference between the original and the new version is the rotation constants. In this paper we construct related-key boomerang distinguishers on round-reduced Threefish-512 based on the new rotation constants using the method of modular differential. With these distinguishers, we mount related-key boomerang key recovery attacks on Threefish-512 reduced to 32, 33 and 34 rounds. The attack on 32-round Threefish-512 has time complexity 2195 with memory of 212 bytes. The attacks on Threefish-512 reduced to 33 and 34 rounds have time complexity of 2324.6 and 2474.4 encryptions respectively, and both with negligible memory. The best key recovery attack known before is proposed by Aumasson et al. Their attack, which bases on the old rotation constants, is also a related-key boomerang attack. For 32-round Threefish-512, their attack requires 2312 encryptions and 271 bytes of memory.

Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.