Fukang Liu,Willi Meier,Santanu Sarkar,Gaoli Wang,Ryoma Ito,Takanori Isobe

DOI: https://doi.org/10.46586/tosc.v2022.i3.152-190

2022-01-01

IACR Transactions on Symmetric Cryptology

Abstract:ZUC-256 is a stream cipher designed for 5G applications by the ZUC team. Together with AES-256 and SNOW-V, it is currently being under evaluation for standardized algorithms in 5G mobile telecommunications by Security Algorithms Group of Experts (SAGE). A notable feature of the round update function of ZUC-256 is that many operations are defined over different fields, which significantly increases the difficulty to analyze the algorithm.As a main contribution, with the tools of the modular difference, signed difference and XOR difference, we develop new techniques to carefully control the interactions between these operations defined over different fields. At first glance, our techniques are somewhat similar to those developed by Wang et al. for the MD-SHA hash family. However, as ZUC-256 is quite different from the MD-SHA hash family and its round function is much more complex, we are indeed dealing with different problems and overcoming new obstacles.As main results, by utilizing complex input differences, we can present the first distinguishing attacks on 31 out of 33 rounds of ZUC-256 and 30 out of 33 rounds of the new version of ZUC-256 called ZUC-256-v2 with low time and data complexities, respectively. These attacks target the initialization phase and work in the related-key model with weak keys. Moreover, with a novel IV-correcting technique, we show how to efficiently recover at least 16 key bits for 15-round ZUC-256 and 14-round ZUC-256-v2 in the related-key setting, respectively. It is unpredictable whether our attacks can be further extended to more rounds with more advanced techniques. Based on the current attacks, we believe that the full 33 initialization rounds provide marginal security.

Yuankai Wang,Liji Wu,Xiangmin Zhang,Ke Xu,Wei Yan

DOI: https://doi.org/10.1109/asid50160.2020.9271719

2020-01-01

Abstract:In this paper, we present a hardware implementation of ZUC-256 stream cipher. ZUC-256 is developed from ZUC-128 to provide higher 256-bit security for 5G communication. The optimized implementation of ZUC-256 uses a five-stage pipeline architecture to shorten the critical path of the cipher. The evaluation results show that this architecture performs better than the other ZUC-128 designs in frequency and throughput, and satisfy the demand of LTE for 5G communication.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yiyuan Luo,Xuejia Lai,Zhongming Wu,Guang Gong

DOI: https://doi.org/10.1155/2017/5980251

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, which we call the unified impossible differential finding method or UID-method. It is more effective than the U-method introduced by Kim et al. We apply the UID-method to some well-known block cipher structures. Using it, we find a 16-round impossible differential for Gen-Skipjack and a 19-round impossible differential for Gen-CAST256. By this result we can disprove Sung’s long standing conjecture that no such differential is possible for 16 or more rounds. On Gen-MARS and SMS4, the impossible differentials found by the UID-method are much longer than those found by the U-method. On the Four-Cell and Gen-RC6 block ciphers, our results are the same as the best results previously obtained.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Lu Xiaojuan,Li Bohan,Liu Meicheng,Lin Dongdai

DOI: https://doi.org/10.1186/s42400-021-00108-3

2022-01-01

Abstract:Nonlinear feedback shift register (NFSR) is one of the most important cryptographic primitives in lightweight cryptography. At ASIACRYPT 2010, Knellwolf et al. proposed conditional differential attack to perform a cryptanalysis on NFSR-based cryptosystems. The main idea of conditional differential attack is to restrain the propagation of the difference and obtain a detectable bias of the difference of the output bit. QUARK is a lightweight hash function family which is designed by Aumasson et al. at CHES 2010. Then the extended version of QUARK was published in Journal of Cryptology 2013. In this paper, we propose an improved conditional differential attack on QUARK. One improvement is that we propose a method to select the input difference. We could obtain a set of good input differences by this method. Another improvement is that we propose an automatic condition imposing algorithm to deal with the complicated conditions efficiently and easily. It is shown that with the improved conditional differential attack on QUARK, we can detect the bias of output difference at a higher round of QUARK. Compared to the current literature, we find a distinguisher of U-QUARK/D-QUARK/S-QUARK/C-QUARK up to 157/171/292/460 rounds with increasing 2/5/33/8 rounds respectively. We have performed the attacks on each instance of QUARK on a 3.30 GHz Intel Core i5 CPU, and all these attacks take practical complexities which have been fully verified by our experiments. As far as we know, all of these results have been the best thus far.

Wang Jinpeng,Zhang Teng,Zhang Bo,Jeremy-Gillbanks,Zhao Xin

DOI: https://doi.org/10.1109/access.2022.3176609

IF: 3.9

2022-05-27

IEEE Access

Abstract:Frequency Hopping (FH) is a significant anti-interception and anti-interference, so some wireless communication systems extensively use it. Then it can offer better security performance of the system via combining cryptographic algorithms with FH. This paper presents a detailed theoretical design and hardware implementation of an evolutionary ZUC stream cipher algorithm on FPGA. Using some encryption algorithms can improve the security of the FH system by increasing its complexity, including SNOW3g, ZUC algorithm, Chaos system, and other cipher methods. ZUC (named for Zu Chongzhi, a famous mathematician in ancient China) is bitstream encryption that builds the core of the 3GPP integrity algorithm 128-EIA3 and the 3GPP confidentiality algorithm 128-EEA3, providing authentic security services in 4G, even in 5G (IMT-2020) to some extent. The article presented an evolutionary three-layers structure of the ZUC FH system, which innovatively applied the permutation polynomial algorithm and an evolutionary DES cipher algorithm. The introduction of that new DES and the permutation polynomial can efficiently increase the security performance of the ZUC system but also avoid some shortcomings of the UHF (Ultra High Frequency) communication. The experiment of this research designed software by coding VHDL language and implemented hardware using a XILINX Virtex-5 FPGA. The finished experiment gave, analyzed, and compared all results according to the performance of the proposed system and hardware resources. The tests for evaluating the randomness and security denote that the constructed sequences have better performance, including the randomness, linear complexity, and hamming correlations, and pass the NIST test finally. The experimental results show that this improved ZUC cipher stream algorithm proposed in the article can provide a high throughput of 2.08 Gbps under a 65MHz clock frequency. The authors will focus their future work on applying the evolutionary S-box and the a- gorithm with better security performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Keting Jia,Jiazhe Chen,Meiqin Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-28496-0_11

2011-01-01

Abstract:Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time complexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB.

Anlin Xu,Youyu Wu,Jinjiang Yang,Min Zhu,Qiyi Zhao,Leibo Liu

DOI: https://doi.org/10.1109/cisce55963.2022.9851111

2022-01-01

Abstract:The ZUC-256 stream cipher algorithm has been incorporated into the security portfolio of 3GPP LTE-Advanced. Therefore, it is important to study its high-performance implementation. In this paper, we present a high-throughput hardware implementation of the ZUC-256 cryptographic algorithm for ASICs and FPGAs. By using a fully pipelined design scheme, the critical path of the algorithm in both operating modes is significantly shortened and the operating frequency is increased. The throughput of ZUC-256 is up to 160Gpbs with the area 15500GEs under TSMC 12nm technology. In comparison with other work, the area efficiency of the ASIC implementation is improved by 1.61 times and that of FPGA is improved by 1.06 times while the throughput rate is significantly improved.

Shiqiang Zhu,Gaoli Wang,Yu He,Haifeng Qian

DOI: https://doi.org/10.3837/tiis.2020.11.014

2020-01-01

Abstract:At EUROCRYPT 2015, Todo proposed a new technique named division property, and it is a powerful technique to find integral distinguishers. The original division property is also named word-based division property. Later, Todo and Morii once again proposed a new technique named the bit-based division property at FSE 2016 and find more rounds integral distinguisher for SIMON-32. There are two basic approaches currently being adopted in researches under the bit-based division property. One is conventional bit-based division property (CBDP), the other is bit-based division property using three-subset (BDPT). Particularly, BDPT is more powerful than CBDP. In this paper, we use Boolean Satisfiability Problem (SAT)-aided cryptanalysis to search integral distinguishers. We conduct experiments on SIMON-32/-48/64/-96, SIMON (102)-32/-48/-64, SIMECK-32/-48/-64, LBlock, GIFT and Khudra to prove the efficiency of our method. For SIMON (102)-32/-48/-64, we can determine some bits are odd, while these bits can only be determined as constant in the previous result. For GIFT, more balanced (zero-sum) bits can be found. For LBlock, we can find some other new integral distinguishers. For Khudra, we obtain two 9-round integral distinguishers. For other ciphers, we can find the same integral distinguishers as before.

Xuan Shen,Guoqiang Liu,Chao Li,Longjiang Qu

DOI: https://doi.org/10.1587/transfun.e101.a.863

2018-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:At FSE 2014, Grosso et al. proposed LS-designs which are a family of bitslice ciphers aiming at efficient masked implementations against side-channel analysis. They also presented two specific LS-designs, namely the non-involutive cipher Fantomas and the involutive cipher Robin. The designers claimed that the longest impossible differentials of these two ciphers only span 3 rounds. In this paper, for the two ciphers, we construct 4-round impossible differentials which are one round more than the longest impossible differentials found by the designers. Furthermore, with the 4-round impossible differentials, we propose impossible differential attacks on Fantomas and Robin reduced to 6 rounds (out of the full 12/16 rounds). Both of the attacks need 2(119) chosen plaintexts and 2(101.81) 6-round encryptions.

Keting Jia,Leibo Li,Christian Rechberger,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-35999-6_15

2012-01-01

Abstract:KASUMI is a block cipher which consists of eight Feistel rounds with a 128-bit key. Proposed more than 10 years ago, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. In the practically interesting single key setting, only up to 6 rounds have been attacked so far. In this paper we use some observations on the FL and FO functions. Combining these observations with a key schedule weakness, we select some special input and output values to refine the general 5-round impossible differentials and propose the first 7-round attack on KASUMI with time and data complexities similar to the previously best 6-round attacks. This leaves now only a single round of security margin. The new impossible differential attack on the last 7 rounds needs 2114.3 encryptions with 252.5 chosen plaintexts. For the attack on the first 7 rounds, the data complexity is 262 known plaintexts and the time complexity is 2115.8 encryptions.

Feifan Wang,Gaoli Wang

DOI: https://doi.org/10.1007/978-3-031-09234-3_39

2022-01-01

Abstract:Since the differential-linear cryptanalysis was introduced by Langford and Hellman in 1994, there have been many works inheriting and developing this technique. It has been used to attack numerous ciphers, and in particular, sets the record for Serpent, ICEPOLE, Chaskey, 8-round AES, and so on. In CRYPTO 2020, Beierle et al. showed that the data complexity of differential-linear attack can be significantly reduced by generating enough right pairs artificially. In this paper, we manage to find the property in the differential propagation of modular addition. Based on this, we can select special bits to flip to produce right pairs in a certain differential-linear attack. For application, we focus on the differential-linear attack of the ARX cipher Speck32/64. With the differential-linear trail we concatenate, we construct 9-round and 10-round distinguishers with the correlation of 2(11.58) and 2(14.58), respectively. Then we use enough flipped bits to reduce the complexity of the key recovery attack. As a result, we can use only 225 chosen plaintexts to attack 14-round Speck32/64 with the time complexity of about 2(62), which has a slight improvement than before. To our best knowledge, this is the first differential-linear attack of the Speck family.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-45721-1_17

2020-01-01

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Kai Hu,Qingju Wang,Meiqin Wang

DOI: https://doi.org/10.13154/tosc.v2020.i1.396-424

2020-01-01

Abstract:The bit-based division property (BDP) is the most effective technique for finding integral characteristics of symmetric ciphers. Recently, automatic search tools have become one of the most popular approaches to evaluating the security of designs against many attacks. Constraint-aided automatic tools for the BDP have been applied to many ciphers with simple linear layers like bit-permutation. Constructing models of complex linear layers accurately and efficiently remains hard. A straightforward method proposed by Sun et al. (called the S method), decomposes a complex linear layer into basic operations like COPY and XOR, then models them one by one. However, this method can easily insert invalid division trails into the solution pool, which results in a quicker loss of the balanced property than the cipher itself would. In order to solve this problem, Zhang and Rijmen propose the ZR method to link every valid trail with an invertible sub-matrix of the matrix corresponding to the linear layer, and then generate linear inequalities to represent all the invertible sub-matrices. Unfortunately, the ZR method is only applicable to invertible binary matrices (defined in Definition 3). To avoid generating a huge number of inequalities for all the sub-matrices, we build a new model that only includes that the sub-matrix corresponding to a valid trail should be invertible. The computing scale of our model can be tackled by most of SMT/SAT solvers, which makes our method practical. For applications, we improve the previous BDP for LED and MISTY1. We also give the 7-round BDP results for Camellia with FL/FL−1, which is the longest to date. Furthermore, we remove the restriction of the ZR method that the matrix has to be invertible, which provides more choices for future designs. Thanks to this, we also reproduce 5-round key-dependent integral distinguishers proposed at Crypto 2016 which cannot be obtained by either the S or ZR methods.

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu

DOI: https://doi.org/10.3837/tiis.2022.03.012

2022-01-01

KSII Transactions on Internet and Information Systems

Abstract:In the year 2020, a new lightweight block cipher mu(2) is proposed. It has both good software and hardware performance, and it is especially suitable for constrained resource environment. However, the security evaluation on mu(2) against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on mu(2) is proposed. In this paper, firstly, some cryptographic properties on mu(2) are proposed. Then several longest 7-round impossible differential distinguishers are constructed. Finally, an impossible differential cryptanalysis on mu(2) reduced to 10 rounds is proposed based on the constructed distinguishers. The time complexity for the attack is about 2(69.63) 10-round mu(2) encryptions, the data complexity is O(2(48)), and the memory complexity is 2(63.57) Bytes. The reported result indicates that mu(2) reduced to 10 rounds can't resist against impossible differential cryptanalysis.

LI Chao,WEI Yuechuan

DOI: https://doi.org/10.3969/j.issn.1001-2486.2012.05.025

2012-01-01

Abstract:The security of block cipher Zodiac against impossible differential cryptanalysis was re-evaluated.By analyzing the properties ofdiffusion layer P,two new 14-round impossible differentials of Zodiac were introduced.Based on the new impossible differential characteristics andcombining with the Early-Abort technique,an effective attack was applied to the full 16-round Zodiac,and the data complexity was 285.6 chosenplaintexts and the time complexity is only 232.6 encryptions.Compared with the previous best result,the time complexity in this paper decreaseswith a factor of 233.The result shows that Zodiac is vulnerable to impossible differential cryptanalysis due to its poor diffusion.

Yu Liu,Xiaolei Liu,Yanmin Zhao

DOI: https://doi.org/10.1155/2019/2062697

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31-round iterative ultralightweight cipher proposed by Bansod et al. In this paper, we examine the resistance of NUX to differential and linear analysis and search for 1~31-round differential characteristics and linear approximations. In design specification, authors claimed that 25-round NUX is resistant to differential and linear attack. However, we can successfully perform 29-round differential attack on NUX with the 22-round differential characteristic found in this paper, which is 4 rounds more than the limitation given by authors. Furthermore, we present the key recovery attack on 22-round NUX using a 19-round linear approximation determined in this paper. Besides, distinguishing attack, whose distinguisher is built utilizing the property of differential propagation through NUX, is implemented on full NUX with data complexity 8.

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.