Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Meiqin Wang,Xiaoyun Wang,Changhui Hu

DOI: https://doi.org/10.1007/978-3-642-04159-4_28

2008-01-01

Abstract:This paper presents a linear cryptanalysis for reduced round variants of CAST-128 and CAST-256 block ciphers. Compared with the linear relation of round function with the bias 2驴 17 by J. Nakahara et al., we found the more heavily biased linear approximations for 3 round functions and the highest one is 2驴 12.91. We can mount the known-plaintext attack on 6-round CAST-128 and the ciphertext-only attack on 4-round CAST-128. Moreover the known-plaintext attack on 24-round CAST-256 with key size 192 and 256 bits has been given, and the ciphertext-only attack on 21-round CAST-256 with key size 192 and 256 bits can be performed. At the same time, we also present the attack on 18-round CAST-256 with key size 128 bits.

Keting Jia,Leibo Li,Christian Rechberger,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-35999-6_15

2012-01-01

Abstract:KASUMI is a block cipher which consists of eight Feistel rounds with a 128-bit key. Proposed more than 10 years ago, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. In the practically interesting single key setting, only up to 6 rounds have been attacked so far. In this paper we use some observations on the FL and FO functions. Combining these observations with a key schedule weakness, we select some special input and output values to refine the general 5-round impossible differentials and propose the first 7-round attack on KASUMI with time and data complexities similar to the previously best 6-round attacks. This leaves now only a single round of security margin. The new impossible differential attack on the last 7 rounds needs 2114.3 encryptions with 252.5 chosen plaintexts. For the attack on the first 7 rounds, the data complexity is 262 known plaintexts and the time complexity is 2115.8 encryptions.

Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Wentan Yi,Shaozhen Chen

DOI: https://doi.org/10.48550/arXiv.1405.6483

2014-05-26

Cryptography and Security

Abstract:Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

G. N. Krishnamurthy,V. Ramaswamy

DOI: https://doi.org/10.48550/arXiv.1004.0571

2010-04-05

Cryptography and Security

Abstract:this paper demonstrates analysis of well known block cipher CAST-128 and its modified version using avalanche criterion and other tests namely encryption quality, correlation coefficient, histogram analysis and key sensitivity tests.

Haibo Zhou,Rui Zong,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxaa101

2020-01-01

Abstract:We introduce an interpolation attack using the Moebius Transform. This can reduce the time complexity to get a linear system of equations for specified intermediate state bits, which is general to cryptanalysis of some ciphers with update function of low algebraic degree. Along this line, we perform an interpolation attack against Elephant-Delirium, a round 2 submission of the ongoing national institute of standards and technology (NIST) lightweight cryptography project. This is the first third-party cryptanalysis on this cipher. Moreover, we promote the interpolation attack by applying it to the Farfalle pseudo-random constructions Kravatte and Xoofff. Our attacks turn out to be the most efficient method for these ciphers thus far.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Leibo Li,Keting Jia,Xiaoyun Wang,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-662-48116-5_3

2015-01-01

Abstract:As one of the generalizations of differential cryptanalysis, the truncated differential cryptanalysis has become a powerful toolkit to evaluate the security of block ciphers. In this article, taking advantage of the meet-in-the-middle like technique, we introduce a new method to construct truncated differential characteristics of block ciphers. Based on the method, we propose 10-round and 8-round truncated differential characteristics for CLEFIA and Camellia, respectively, which are ISO standard block ciphers. Applying the 10-round truncated differential characteristic for CLEFIA, we launch attacks on 14/14/15-round CLEFIA-128/192/256 with 2(108), 2(135) and 2(203) encryptions, respectively. For Camellia, we utilize the 8-round truncated differential to attack 11/12-round Camellia-128/192 including the FL/FL-1 and whiten layers with 2(121.3) and 2(185.3) encryptions. As far as we know, most of the cases are the best results of these attacks on both ciphers.

Boyu Ni,Gembu Ito,Xiaoyang Dong,Tetsu Iwata

DOI: https://doi.org/10.1007/978-3-030-35423-7_22

2020-01-01

Abstract:Generalized Feistel Schemes (GFSs) are important components of symmetric ciphers, which have been extensively studied in the classical setting. However, detailed security evaluations of GFS in the quantum setting still remain to be explored.

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Xiutao Feng,Fan Zhang,Hui Wang

2014-01-01

Abstract:PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our results show that PANDA-s is far from the goal of its security design (128-bit level).

王薇,王小云

DOI: https://doi.org/10.3724/SP.J.1001.2009.00576

2009-01-01

Journal of Software

Abstract:An improved impossible differential attack on the block cipher CLEFIA is presented.CLEFIA was proposed by Sony Corporation at FSE 2007.Combining some observations with new tricks,the wrong keys are filtered out more efficiently,and the original impossible differential attack on 11-round CLEFIA-192/256 published by the designers,is extended to CLEFIA-128/192/256,with about 2103.1 encryptions and 2103.1 chosen plaintexts.By putting more constraint conditions on plaintext pairs,we present an attack on 12-round CLEFIA for all three key lengths with 2119.1 encryptions and 2119.1 chosen plaintexts.Moreover,a birthday sieve method is introduced to decrease the complexity of the precomputation.And an error about the time complexity evaluation in Tsunoo et al.'s attack on 12-round CLEFIA is pointed out and corrected.

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1007/s11128-023-03877-7

2023-09-24

Abstract:Exploiting quantum mechanisms, quantum attacks have the potential ability to break the cipher structure. Recently, Ito et al. proposed a quantum attack on Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is not realistic since the quantum oracle needs to be accessed by the adversary, and the data complexityis high. To solve this problem, a quantum all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding is proposed, which takes a more realistic model, the Q1 model, as the scenario, and only requires 3 plain-ciphertext pairs to quickly crack the 6-round Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding algorithm to solve the claw problem of finding multiple equations. In addition, Grover's algorithm is used to speedup the rest subkeys recovery. Compared with Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n) to O(1), while the time complexity and memory complexity are also significantly reduced.

Quantum Physics,Cryptography and Security,Emerging Technologies