Liu Ya,Dawu Gu,Zhiqiang Liu,Wei Li,Weihao Kong

DOI: https://doi.org/10.1007/978-94-007-2792-2_43

2011-01-01

Abstract:In this paper, we propose a novel impossible differential attack on 7-round AES-128. Firstly, we construct some new 2-round impossible differentials of AES, which allow us to distinguish the wrong keys from the correct key more efficiently. Based on them, we present an impossible differential attack on 7-round AES-128. The data complexity is about $$ 2^{80} $$ chosen plaintexts. Compared to the best known result, the data complexity of our attack is reduced by nearly $$ 2^{ - 26.2} $$ times.

Rui Zong,Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9382-2

2019-01-01

Science China Information Sciences

Abstract:Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILPmodeling process. Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size > 204 and the tweak size < 52, our method can attack 10-round Deoxys-BC-256 as long as the key size > 174 and the tweak size 6 82. For the popular setting in which the key size is 192 bits, we can attack one round more than previous studies. Note that this paper only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1155/2022/3611840

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:LiCi-2 is an ultralightweight block cipher designed for constrained IoT devices. It is a successor of LiCi and has even better performance in both software and hardware implementation. In this paper, based on the idea of related-key multiple impossible differential cryptanalysis, a key recovery attack on full-round LiCi-2 is proposed. First, an interesting property is revealed that, with a single bit difference in the related key, a 10-round differential character with probability of 1 exists on LiCi-2. With an automatic approach, the boundaries of impossible differential distinguishers in terms of single-key setting and related-key setting are explored. Under our construction method, the longest length is 8 rounds for single-key setting and 18 rounds for related-key setting. Finally, based on these 18-round distinguishers, a 25-round key recovery attack is proposed with adding 3 rounds before and 4 rounds after the distinguisher. Our attack needs one related key. The time complexity for our attack is O(2123.44), the memory complexity is O(294), and the data complexity is O(260.68). As far as we know, no full-round attack has previously been reported on LiCi-2.

Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1109/access.2019.2946638

IF: 3.9

2019-01-01

IEEE Access

Abstract:In this paper, we study the relation of related-tweak/key impossible differentials with single-key ones. Following a heuristic strategy, we can derive longer related-tweak/key impossible differentials from single-key ones. We implement this strategy with the MILP technique and apply it to search related-tweak/key impossible differentials of two tweakable block ciphers: QARMA-64 and Joltik-BC-128. For QARMA-64, we find several 7-round related-tweak impossible differential distinguishers and use them to mount a 10-round key recovery attack including the outer whitening key; for Joltik-BC-128, we find two 6-round related-tweakey impossible differential distinguishers and use them attack 9-round and 10-round Joltik-BC-128 respectively.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Shion UTSUMI,Kosei SAKAMOTO,Takanori ISOBE

DOI: https://doi.org/10.1587/transfun.2023eap1149

2024-01-01

Abstract:Lightweight block ciphers have gained attention in recent years due to the increasing demand for sensor nodes, RFID tags, and various applications. In such a situation, lightweight block ciphers Piccolo and TWINE have been proposed. Both Piccolo and TWINE are designed based on the Generalized Feistel Structure. However, it is crucial to address the potential vulnerability of these structures to the impossible differential attack. Therefore, detailed security evaluations against this attack are essential. This paper focuses on conducting bit-level evaluations of Piccolo and TWINE against related-key impossible differential attacks by leveraging SAT-aided approaches. We search for the longest distinguishers under the condition that the Hamming weight of the active bits of the input, which includes plaintext and master key differences, and output differences is set to 1, respectively. Additionally, for Tweakable TWINE, we search for the longest distinguishers under the related-tweak and related-tweak-key settings. The result for Piccolo with a 128-bit key, we identify the longest 16-round distinguishers for the first time. In addition, we also demonstrate the ability to extend these distinguishers to 17 rounds by taking into account the cancellation of the round key and plaintext difference. Regarding evaluations of TWINE with a 128-bit key, we search for the first time and reveal the distinguishers up to 19 rounds. For the search for Tweakable TWINE, we evaluate under the related-tweak-key setting for the first time and reveal the distinguishers up to 18 rounds for 80-bit key and 19 rounds for 128-bit key.

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Tongfei Xia,Anhui Jiyuan,Ziran Zhao,Wei Li,Haoran Fan,Can Cao

DOI: https://doi.org/10.33969/eecs.v3.002

2019-01-01

Abstract:AES is the mostly used block cipher nowadays.At CRYPTO 2016, Sun et al. proposed the first 5-round distinguisher of the AES [19].However, it is somewhat closely related with the keys and hardly be used to mount a key recovery attack.Later in FSE 2016 [12] and EUROCRYPT 2017 [13], the distinguisher was improved.In this paper, by combining the techniques proposed by Sun et al. at CRYPTO 2016, we find a new 3-round integral distinguisher of AES which is closely related with the round keys.Then, based on the new distinguisher, we develop new techniques and give a new integral cryptanalysis for the round-reduced AES.We believe this may give new insight on the security of the AES.

Keting Jia,Leibo Li

DOI: https://doi.org/10.1007/978-3-642-35416-8_2

2012-01-01

Abstract:MISTY1 is a Feistel block cipher with a 64-bit block and a 128-bit key. It is one of the final NESSIE portfolio of block ciphers, and has been recommended for Japanese e-Government ciphers by the CRYPTREC project. In this paper, we improve the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity. Furthermore, combing with the FL function properties and the key schedule algorithm, we propose an impossible differential attack on 7-round MISTY1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions. It is the first attack on 7-round MISTY1 in the known plaintext model to the best of our knowledge. Besides, we show an improved impossible differential attack on 7-round MISTY1 without FL layers with 292.2 7-round encryptions and 255 chosen plaintexts, which has lower time complexity than previous attacks.

Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Zhe Liu,Jean-Francois Gallais

DOI: https://doi.org/10.1016/j.cose.2013.07.002

IF: 5.105

2013-01-01

Computers & Security

Abstract:Existing trace driven cache attacks (TDCAs) can only analyze the cache events in the first two rounds or the last round of AES, which limits the efficiency of the attacks. Recently, Zhao et al. proposed the multiple deductions-based algebraic side-channel attack (MDASCA) to cope with the errors in leakage measurements and to exploit new leakage models. Their preliminary results showed that MDASCA can improve TDCAs and attack the AES implemented with a compact lookup table of 256 bytes. This paper performs a comprehensive study of MDASCA-based TDCAs (MDATDCA) on most of the AES implementations that are widely used. First, the key recovery in TDCA is depicted by an abstract model regardless of the specific attack techniques. Then, the previous work of TDCAs on AES is classified into three types and its limitations are analyzed. How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA. Extensive experiments are conducted under different implementations, attack scenarios and key lengths of AES. The experimental results are consistent with the theoretical analysis. Many improvements are achieved. For the first time, we show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA technique. Our work attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.

Wenying Zhang,Zhen Xiao,Mengzhu Li

DOI: https://doi.org/10.1504/ijhpcn.2017.10008233

2017-01-01

International Journal of High Performance Computing and Networking

Abstract:Tiaoxin-346 is a nonce-based authenticated encryption scheme designed by Ivica Nikolić and has been submitted to the CAESAR competition. Tiaoxin-346 uses three parallel structures of T3, T4, T6 as an important part of the algorithm. In this work, we give the differential analysis. The differential trail designed by designer has 30 active S-boxes (a difference goes six times through two AES rounds) and holds with a probability of at most 2−180. On the base of the forgery attack, we add one round after the last round in the original trail and make the inputs to T3 and T4 have the same difference. We assume the difference can be controlled. Therefore, there is no difference for the state T6. The probability of differential trail is 2−174. By the same method, we add one round before the first round. The probability of differential trail is 2−150. Absolutely, the probabilities are much higher than the designer's.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Shiqi Hou,Baofeng Wu,Shichang Wang,Hao Guo,Dongdai Lin

DOI: https://doi.org/10.1093/comjnl/bxad075

2024-01-01

Abstract:In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework.

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.

Orhun Kara

DOI: https://doi.org/10.1080/01611194.2024.2320362

2024-04-04

Cryptologia

Abstract:In this work, we examine the security of the 8-round AES, under the known plaintext attack scenario, a type of cryptographic attack in which an attacker has access to the plaintext and corresponding ciphertext pairs. We present an innovative impossible differential (ID) attack technique, which utilizes a specific ID characteristic, to perform the first known plaintext attack on the 8-round AES with a 256-bit key. Additionally, we propose a new attack methodology, known as the Square Impossible Differential (SID) attack, to enhance the effectiveness of the ID attacks on AES in chosen ciphertext or plaintext scenarios. The SID attack is a combination of a square attack and an ID attack. Our methodology introduces various new approaches, including the key indicator vectors, eliminating the key candidate through the Meet-in-The-Middle technique and mounting the guess and determine attack through the hash tables for the two-round decryption of one column of AES while determining the subkeys constituting the impossible differential characteristic for a given plaintext/ciphertext difference pair. Our approach demonstrates lower computational complexity compared to previous methods, and our analysis shows that the complexities of our known plaintext attack and SID attack are estimated to be 2 220 and 2 209 , respectively.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Ya Liu,Yifan Shi,Dawu Gu,Bo Dai,Fengyu Zhao,Wei Li,Zhiqiang Liu,Zhiqiang Zeng

DOI: https://doi.org/10.1007/s11432-017-9365-4

2019-01-01

Science China Information Sciences

Abstract:Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2244.4 chosen plaintexts, 2240.1 encryptions, and 2181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2214.4 chosen plaintexts, 2241.3 encryptions, and 2183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2214.4 chosen plaintexts, 2113.4 encryptions, and 287.4 blocks, respectively, or 2206.6 chosen plaintexts, 2153.6 encryptions, and 2111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

Byoungjin Seok

DOI: https://doi.org/10.3390/electronics13204053

IF: 2.9

2024-10-16

Electronics

Abstract:Recently, differential-neural cryptanalysis, which integrates deep learning with differential cryptanalysis, has emerged as a powerful and practical cryptanalysis method. It has been particularly applied to lightweight block ciphers, which are characterized by simple structures and operations, and relatively small block and key sizes. In resource-constrained environments, such as Internet of Things (IoT), it is essential to verify the resistance of existing lightweight block ciphers against differential-neural cryptanalysis to ensure security. In differential-neural cryptanalysis, a deep learning model, known as a neural distinguisher, is trained to differentiate a target cipher from others, facilitating key recovery through statistical analysis. For successful differential-neural cryptanalysis, it is crucial to develop a highly accurate neural distinguisher and to optimize the key recovery attack algorithm. In this paper, we introduce a novel neural distinguisher and key recovery attack against the 15-round reduced HIGHT cipher. Our proposed neural distinguisher is capable of distinguishing HIGHT ciphertext by analyzing only a portion of the ciphertext, which we refer to as a truncated neural distinguisher. Notably, our experiments demonstrate that the truncated neural distinguisher achieves performance comparable to existing distinguishers trained on entire ciphertext blocks, while enabling a more efficient key recovery attack through a divide-and-conquer strategy. Furthermore, we observe a significant improvement in key recovery efficiency compared to traditional cryptanalysis methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.