ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Ivica Nikolic,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/978-3-662-43933-3_7

2013-01-01

Abstract:In this paper we present known-plaintext single-key and chosen-key attacks on round-reduced LED-64 and LED-128. We show that with an application of the recently proposed slidex attacks [5], one immediately improves the complexity of the previous single-key 4-step attack on LED-128. Further, we explore the possibility of multicollisions and show single-key attacks on 6 steps of LED-128. A generalization of our multicollision attack leads to the statement that no 6-round cipher with two subkeys that alternate, or 2-round cipher with linearly dependent subkeys, is secure in the single-key model. Next, we exploit the possibility of finding pairs of inputs that follow a certain differential rather than a differential characteristic, and obtain chosen-key differential distinguishers for 5-step LED-64, as well as 8-step and 9-step LED-128. We provide examples of inputs that follow the 8-step differential, i.e. we are able to practically confirm our results on 2/3 of the steps of LED-128. We introduce a new type of chosen-key differential distinguisher, called random-difference distinguisher, and successfully penetrate 10 of the total 12 steps of LED-128. We show that this type of attack is generic in the chosen-key model, and can be applied to any 10-round cipher with two alternating subkeys.

Meiqin Wang,Xiaoyun Wang,Changhui Hu

DOI: https://doi.org/10.1007/978-3-642-04159-4_28

2008-01-01

Abstract:This paper presents a linear cryptanalysis for reduced round variants of CAST-128 and CAST-256 block ciphers. Compared with the linear relation of round function with the bias 2驴 17 by J. Nakahara et al., we found the more heavily biased linear approximations for 3 round functions and the highest one is 2驴 12.91. We can mount the known-plaintext attack on 6-round CAST-128 and the ciphertext-only attack on 4-round CAST-128. Moreover the known-plaintext attack on 24-round CAST-256 with key size 192 and 256 bits has been given, and the ciphertext-only attack on 21-round CAST-256 with key size 192 and 256 bits can be performed. At the same time, we also present the attack on 18-round CAST-256 with key size 128 bits.

Shiqi Hou,Baofeng Wu,Shichang Wang,Hao Guo,Dongdai Lin

DOI: https://doi.org/10.1093/comjnl/bxad075

2024-01-01

Abstract:In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework.

Haibo Zhou,Zheng Li,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxz152

2020-01-01

The Computer Journal

Abstract:A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of KECCAK keyed modes. In this paper, we find a new property of Li et al.'s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round KETJE Jr, 6-round XOODOO-AE and XOODYAK, where KETJE Jr is among the third round CAESAR competition candidates and XOODYAK is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on XOODYAK represent the first third-party cryptanalysis for XOODYAK.

Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).

Prasanna Ravi,Bolin Yang,Shivam Bhasin,Fan Zhang,Anupam Chattopadhyay

DOI: https://doi.org/10.46586/tches.v2023.i2.447-481

2023-01-01

Abstract:In this work, we present the first fault injection analysis of the Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single fault vulnerability in the NTT, which severely reduces the entropy of its output. This in turn enables us to perform a wide-range of attacks applicable to lattice-based KEMs as well as signature schemes. In particular, we demonstrate novel key recovery and message recovery attacks targeting the key generation and encryption procedure of Kyber KEM. We also propose novel existential forgery attacks targeting deterministic and probabilistic signing procedure of Dilithium, followed by a novel verification bypass attack targeting its verification procedure. All proposed exploits are demonstrated with high success rate using electromagnetic fault injection on optimized implementations of Kyber and Dilithium, from the open-source pqm4 library on the ARM Cortex-M4 microcontroller. We also demonstrate that our proposed attacks are capable of bypassing concrete countermeasures against existing fault attacks on lattice-based KEMs and signature schemes. We believe our work motivates the need for more research towards development of countermeasures for the NTT against fault injection attacks.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Anubhab Baksi,Jakub Breier,Yi Chen,Xiaoyang Dong

DOI: https://doi.org/10.23919/date51398.2021.9474092

2022-01-01

Abstract:At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an 'all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference. Usually, the all-in-one differential cryptanalysis is more effective compared to the one using only one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for non-Markov ciphers through machine learning. Our idea here is to reduce a distinguishing problem to a classification problem, so that it can be efficiently managed by machine learning. As a proof of concept, we show several distinguishers for four high profile ciphers, each of which works with trivial complexity. In particular, we show differential distinguishers for 8-round Gimli-Hash, Gimli-Cipher and Gimli-Permutation; 3-round Ascon-Permutation; 10-round Knot-256 permutation and 12-round Knot-512 permutation; and 4-round Chaskey-Permutation. Finally, we explore more on choosing an efficient machine learning model and observe that only a three layer neural network can be used. Our analysis shows the attacker is able to reduce the complexity of finding distinguishers by using machine learning techniques.

Liang Dong,Hongxin Zhang,Lei Zhu,Shaofei Sun,Han Gan,Fan Zhang

DOI: https://doi.org/10.1109/access.2019.2901753

IF: 3.9

2019-01-01

IEEE Access

Abstract:This paper presents an optimal method for recovering the secret keys of the light encryption device (LED) by combining the impossible differential fault attack with the algebraic differential fault attack. The proposed optimal method effectively improves the performance of fault attacks. A fault attack model, named the redundant random nibble fault model (RRNFM), is proposed to simulate a multiple fault injection in a real-world environment. Using the optimal method and the RRNFM, the 64-bit secret key of LED can be recovered by injecting no more than six faults in 1300 experiments. We establish an equation of inverse proportionality between the number of faults injected and the remaining amount of the secret key. Using the equation, the number of fault injection can be accurately predicted, providing an effective way of evaluating fault attacks.

Wei Li,Wenwen Zhang,Dawu Gu,Zhi Tao,Zhihong Zhou,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.3837/tiis.2015.02.018

2015-01-01

KSII Transactions on Internet and Information Systems

Abstract:The TWINE is a new Generalized Feistel Structure (GFS) lightweight cryptosystem in the Internet of Things. It has 36 rounds and the key lengths support 80 bits and 128 bits, which are flexible to provide security for the RFID, smart cards and other highly-constrained devices. Due to the strong attacking ability, fast speed, simple implementation and other characteristics, the differential fault analysis has become an important method to evaluate the security of lightweight cryptosystems. On the basis of the 4-bit fault model and the differential analysis, we propose an effective differential fault attack on the TWINE cryptosystem. Mathematical analysis and simulating experiments show that the attack could recover its 80-bit and 128-bit secret keys by introducing 8 faulty ciphertexts and 18 faulty ciphertexts on average, respectively. The result in this study describes that the TWINE is vulnerable to differential fault analysis. It will be beneficial to the analysis of the same type of other iterated lightweight cryptosystems in the Internet of Things.

Ting Fan,Lingchen Li,Yongzhuang Wei,Enes Pasalic

DOI: https://doi.org/10.1177/15501329221119398

IF: 1.938

2022-09-04

International Journal of Distributed Sensor Networks

Abstract:International Journal of Distributed Sensor Networks, Volume 18, Issue 9, September 2022. Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers' security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Ya Liu,Anren Yang,Bo Dai,Wei Li,Zhiqiang Liu,Dawu Gu,Zhiqiang Zeng

DOI: https://doi.org/10.1093/comjnl/bxy061

2018-01-01

Abstract:TWINE is a lightweight block cipher, which was proposed by NEC corporation in 2012. It is both a good example of common trade-offs in lightweight cryptography and one of the only instances of a GFN with improved diffusion layer. Therefore, its security has attracted amount of attention in recent years. In this paper, we present a meet-in-the-middle attack on 26-round TWINE-128 by exploiting the slow diffusion of key schedule. Specifically, we first construct a new 11-round distinguisher of TWINE. Based on it, we mount a meet-in-the-middle attack on 26-round TWINE-128. The data, time and memory complexities are 2(60) chosen plaintexts, 2(126.18) 26-round encryptions and 2(109) 64-bit blocks, respectively. Our results are better than all previous ones on TWINE-128 in the single-key scenario if not considering biclique cryptanalysis of TWINE-128.

Shichang Wang,Meicheng Liu,Shiqi Hou,Dongdai Lin

DOI: https://doi.org/10.62056/a6n5txol7

2024-01-01

Abstract:At CHES 2017, Banik et al. proposed a lightweight block cipher GIFT consisting of two versions GIFT-64 and GIFT-128. Recently, there are lots of authenticated encryption schemes that adopt GIFT-128 as their underlying primitive, such as GIFT-COFB and HyENA. To promote a comprehensive perception of the soundness of the designs, we evaluate their security against differential-linear cryptanalysis. For this, automatic tools have been developed to search differential-linear approximation for the ciphers based on S-boxes. With the assistance of the automatic tools, we find 13-round differential-linear approximations for GIFT-COFB and HyENA. Based on the distinguishers, 18-round key-recovery attacks are given for the message processing phase and initialization phase of both ciphers. Moreover, the resistance of GIFT-64/128 against differential-linear cryptanalysis is also evaluated. The 12-round and 17-round differential-linear approximations are found for GIFT-64 and GIFT-128 respectively, which lead to 18-round and 19-round key-recovery attacks respectively. Here, we stress that our attacks do not threaten the security of these ciphers.

Jialin Huang,Serge Vaudenay,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-319-13039-2_8

2014-01-01

Abstract:Key schedules in lightweight block ciphers are often highly simplified, which causes weakness that can be exploited in many attacks. Today it remains an open problem on how to use limited operations to guarantee enough diffusion of key bits in lightweight key schedules. Also, there are few tools special for detecting weakness in the key schedule.In 2013 Huang et al. pointed out that insufficient actual key information (AKI) in computation chains is responsible for many attacks especially the meet-in-the-middle (MITM) attacks. Motivated by this fact, in this paper we develop an efficient (with polynomial time complexity) and effective tool to search the computation chains which involve insufficient AKI for iterated key schedules of lightweight ciphers. The effectiveness of this tool is shown by an application on TWINE-80.Then, we formulate the cause of key bits leakage phenomenon, where the knowledge of subkey bits is leaked or overlapped by other subkey bits in the same computation chain. Based on the interaction of diffusion performed by the key schedule and by the round function, a necessary condition is thus given on how to avoid key bits leakage.Therefore, our work sheds light on the design of lightweight key schedules by guiding how to quickly rule out unreasonable key schedules and maximize the security under limited diffusion.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1155/2022/3611840

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:LiCi-2 is an ultralightweight block cipher designed for constrained IoT devices. It is a successor of LiCi and has even better performance in both software and hardware implementation. In this paper, based on the idea of related-key multiple impossible differential cryptanalysis, a key recovery attack on full-round LiCi-2 is proposed. First, an interesting property is revealed that, with a single bit difference in the related key, a 10-round differential character with probability of 1 exists on LiCi-2. With an automatic approach, the boundaries of impossible differential distinguishers in terms of single-key setting and related-key setting are explored. Under our construction method, the longest length is 8 rounds for single-key setting and 18 rounds for related-key setting. Finally, based on these 18-round distinguishers, a 25-round key recovery attack is proposed with adding 3 rounds before and 4 rounds after the distinguisher. Our attack needs one related key. The time complexity for our attack is O(2123.44), the memory complexity is O(294), and the data complexity is O(260.68). As far as we know, no full-round attack has previously been reported on LiCi-2.