Yiyi Han,Caibing Wang,Zhongfeng Niu,Lei Hu,Debiao He

DOI: https://doi.org/10.23919/cje.2022.00.313

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Boolean satisfiability problem (SAT) is now widely applied in differential cryptanalysis and linear cryptanalysis for various cipher algorithms. It generated many excellent results for some ciphers, for example, Salsa20. In this research, we study the differential and linear propagations through the operations of addition, rotation and XOR (ARX), and construct the SAT models. We apply the models to CRAX to search differential trails and linear trails automatically. In this sense, our contribution can be broadly divided into two parts. We give the bounds for differential and linear cryptanalysis of Alzette both up to 12 steps, by which we present a 3-round differential attack and a 3-round linear attack for CRAX. We construct a 4-round key-recovery attack for CRAX with time complexity 289 times of 4-round encryption and data complexity 225.

engineering, electrical & electronic

Xuzi Wang,Baofeng Wu,Lin Hou,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-99136-8_7

2018-01-01

Abstract:In this paper, we revisit the relationship between the probability of differential trails and the input difference of each round for SIMON-like block ciphers. The key observation is that not only the Hamming weight but also the positions of active bits of the input difference have effect on the probability. Based on this, our contributions are mainly twofold. Firstly, we rebuild the MILP model for SIMON-like block ciphers without quadratic constraints. Accordingly, we give the accurate objective function and reduce its degree to one by adding auxiliary variants to make the model easy to solve. Secondly, we search for optimal differential trails for SIMON and SIMECK based on this model. To the best of our knowledge, this is the first time that related-key differential trails have been obtained. Besides, we not only recover the single-key results in [11], but also obtain impossible differentials through this method.

Haiwen Qin,Baofeng Wu

DOI: https://doi.org/10.48550/arXiv.2203.09741

2022-03-18

Abstract:ARX-based ciphers, constructed by the modular addition, rotation and XOR operations, have been receiving a lot of attention in the design of lightweight symmetric ciphers. For their differential cryptanalysis, most automatic search methods of differential trails adopt the assumption of independence of modulo additions. However, this assumption does not necessarily hold when the trail includes consecutive modular additions (CMAs). It has already been found that in this case some differential trails searched by automatic methods before are actually impossible, but the study is not in depth yet, for example, few effort has been paid to exploiting the root causes of non-independence between CMAs and accurate calculation of probabilities of the valid trails. In this paper, we devote to solving these two problems. By examing the differential equations of single and consecutive modular additions, we find that the influence of non-independence can be described by relationships between constraints on the intermediate state of two additions. Specifically, constraints of the first addition can make some of its output bits non-uniform, and when they meet the constraints of the second addition, the differential probability of the whole CMA may be different from the value calculated under the independence assumption. As a result, we can build SAT models to verify the validity of a given differential trail of ARX ciphers and #SAT models to calculate the exact probabilities of the differential propagation through CMAs in the trail, promising a more accurate evaluation of probability of the trail. Our automic methods and searching tools are applied to search related-key differential trails of SPECK and Chaskey including CMAs in the key schedule and the round function respectively.

Cryptography and Security

Wenying Zhang,Zhen Xiao,Mengzhu Li

DOI: https://doi.org/10.1504/ijhpcn.2017.10008233

2017-01-01

International Journal of High Performance Computing and Networking

Abstract:Tiaoxin-346 is a nonce-based authenticated encryption scheme designed by Ivica Nikolić and has been submitted to the CAESAR competition. Tiaoxin-346 uses three parallel structures of T3, T4, T6 as an important part of the algorithm. In this work, we give the differential analysis. The differential trail designed by designer has 30 active S-boxes (a difference goes six times through two AES rounds) and holds with a probability of at most 2−180. On the base of the forgery attack, we add one round after the last round in the original trail and make the inputs to T3 and T4 have the same difference. We assume the difference can be controlled. Therefore, there is no difference for the state T6. The probability of differential trail is 2−174. By the same method, we add one round before the first round. The probability of differential trail is 2−150. Absolutely, the probabilities are much higher than the designer's.

Hao Chen,Tao Wang,Shize Guo,Xinjie Zhao,Fan Zhang,Jian Liu

DOI: https://doi.org/10.1587/transfun.E100.A.811

2017-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:The differential fault analysis of SOSEMNAUK was presented in Africacrypt in 2011. In this paper, we improve previous work with algebraic techniques which can result in a considerable reduction not only in the number of fault injections but also in time complexity. First, we propose an enhanced method to determine the fault position with a success rate up to 990'o based on the single-word fault model. Then, instead of following the design of SOSEMANUK at word levels, we view SOSEMANUK at bit levels during the fault analysis and calculate most components of SOSEMANUK as bit-oriented. We show how to build algebraic equations for SOSEMANUK and how to represent the injected faults in bit-level. Finally, an SAT solver is exploited to solve the combined equations to recover the secret inner state. The results of simulations on a PC show that the full 384 bits initial inner state of SOSEMANUK can be recovered with only 15 fault injections in 3.97h.

Meicheng Liu,Xiaojuan Lu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-030-84252-9_9

2021-01-01

Abstract:The differential-linear cryptanalysis is an important cryptanalytic tool in cryptography, and has been extensively researched since its discovery by Langford and Hellman in 1994. There are nevertheless very few methods to study the middle part where the differential and linear trail connect. In this paper, we study differential-linear cryptanalysis from an algebraic perspective. We first introduce a technique called Differential Algebraic Transitional Form (DATF) for differential-linear cryptanalysis, then develop a new theory of estimation of the differential-linear bias and techniques for key recovery in differential-linear cryptanalysis. The techniques are applied to the CAESAR and LWC finalist Ascon, the AES finalist Serpent, and the eSTREAM finalist Grain v1. The bias of the differential-linear approximation is estimated for Ascon and Serpent. The theoretical estimates of the bias are more accurate than that obtained by the Differential-Linear Connectivity Table (Bar-On et al., EUROCRYPT 2019), and the techniques can be applied with more rounds. Our general techniques can also be used to estimate the bias of Grain v1 in differential cryptanalysis, and have a markedly better performance than the Differential Engine tool tailor-made for the cipher. The improved key recovery attacks on round-reduced variants of these ciphers are then proposed. To the best of our knowledge, they are thus far the best known cryptanalysis of Serpent, as well as the best differential-linear cryptanalysis of Ascon and the best initialization analysis of Grain v1. The results have been fully verified by experiments. Notably, security analysis of Serpent is one of the most important applications of differential-linear cryptanalysis in the last two decades. The results in this paper update the differential-linear cryptanalysis of Serpent-128 and Serpent-256 with one more round after the work of Biham, Dunkelman and Keller in 2003.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Huiqin Xie,Qiqing Xia,Ke Wang,Yanjun Li,Li Yang

2024-07-14

Abstract:Due to the superiority of quantum computing, traditional cryptography is facing severe threat. This makes the security evaluation of cryptographic systems in quantum attack models significant and urgent. For symmetric ciphers, the security analysis heavily relies on cyptanalytic tools. Thus exploring the use of quantum algorithms to traditional cyptanalytic tools has drawn a lot of attention. In this study, we utilize quantum algorithms to improve impossible differential attack, and design two quantum automatic tools for searching impossible differentials. The proposed quantum algorithms exploit the idea of miss-in-the-middle and the properties of truncated differentials. We rigorously prove their validity and calculate the quantum resources required to implement them. Compared to existing classical automatic cryptanalysis, the quantum tools proposed have the advantage of accurately characterizing S-boxes while only requiring polynomial complexity, and can take into consideration the impact of the key schedules in single-key model.

Quantum Physics

Guozhen Liu,Weidong Qiu,Yi Tu

DOI: https://doi.org/10.13154/tosc.v2019.i4.407-437

2020-01-01

Abstract:Keccak-f is the permutation used in the NIST SHA-3 hash function standard. Inspired by the previous exhaustive differential trail search methods by Mella et al. at ToSC 2017, we introduce in this paper new algorithms to cover 3-round trail cores with propagation weight at least 53, up from the previous best weight 45. To achieve the goal, the concept of ideal improvement assumption is proposed to construct theoretical representative of subspaces so as to efficiently cover the search space of 3-round trail cores with at least one out-Kernel α state. Of particular note is that the exhaustiveness in 3-round trail core search of at least one out-Kernel α is only experimentally verified. With the knowledge of all 3-round trail cores of weight up to 53, lower bounds on 4/5/6-round trails are tightened to 56/58/108, from the previous 48/50/92, respectively.

Huiqin Xie,Qiqing Xia,Ke Wang,Yanjun Li,Li Yang

DOI: https://doi.org/10.3390/math12162598

IF: 2.4

2024-08-24

Mathematics

Abstract:Due to the superiority of quantum computing, traditional cryptography is facing a severe threat. This makes the security evaluation of cryptographic systems in quantum attack models both significant and urgent. For symmetric ciphers, the security analysis heavily relies on cryptanalysis tools. Thus, exploring the use of quantum algorithms in traditional cryptanalysis tools has garnered considerable attention. In this study, we utilize quantum algorithms to improve impossible differential attacks and design two quantum automated tools to search for impossible differentials. The proposed quantum algorithms exploit the idea of miss-in-the-middle and the properties of truncated differentials. We rigorously prove their validity and calculate the quantum resources required for their implementation. Compared to the existing classical automated cryptanalysis, the proposed quantum tools have the advantage of accurately characterizing S-boxes while only requiring polynomial complexity, and can take into consideration the impact of the key schedules in a single-key model.

mathematics

Xinjie Zhao,Tao Wang,Shize Guo,Fan Zhang,Zhijie Shi,Huiying Liu,Kehui Wu

2011-01-01

Abstract:Introduced in 2009, Algebraic Side-Channel Attack (ASCA) has become a very effective cryptanalysis technique that is different from conventional side-channel attacks such as DPA and CPA. In this paper, we propose an innovative and generic attack framework named as SATETASCA (SAT based Error Tolerant Algebraic Side-Channel Attack). The proposed framework is effective even if the leakage information is not accurate and has large variants or errors. We show its generality by successfully launching SAT-ETASCA to AES on two different platforms, using different types of leakages. The first attack is to an AES implementation on an 8-bit microcontroller, using the Hamming weight leakage model. We demonstrate that SAT-ETASCA can recover the full key even when the obtained leakage information has about 60% errors. The second attack is based on an innovative idea of applying the external cache …

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.

Huiqin Xie,Li Yang

DOI: https://doi.org/10.48550/arXiv.1712.06997

2018-07-23

Abstract:Traditional cryptography is suffering a huge threat from the development of quantum computing. While many currently used public-key cryptosystems would be broken by Shor's algorithm, the effect of quantum computing on symmetric ones is still unclear. The security of symmetric ciphers relies heavily on the development of cryptanalytic tools. Thus, in order to accurately evaluate the security of symmetric primitives in the post-quantum world, it is significant to improve classical cryptanalytic methods using quantum algorithms. In this paper, we focus on two variants of differential cryptanalysis: truncated differential cryptanalysis and impossible differential cryptanalysis. Based on the fact that Bernstein-Vazirani algorithm can be used to find the linear structures of Boolean functions, we propose two quantum algorithms that can be used to find high-probability truncated differentials and impossible differentials of block ciphers, respectively. We rigorously prove the validity of the algorithms and analyze their complexity. Our algorithms treat all rounds of the reduced cipher as a whole and only concerns the input and output differences at its both ends, instead of specific differential characteristics. Therefore, to a certain extent, they alleviate the weakness of conventional differential cryptanalysis, namely the difficulties in finding differential characteristics as the number of rounds increases.

Quantum Physics,Cryptography and Security

Zhenzhen Bao,Wentao Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-16745-9_15

2015-01-01

Abstract:For judging the resistance of a block cipher to differential cryptanalysis or linear cryptanalysis it is necessary to establish an upper bound on the probability of the best differential or the bias of the best linear approximation. However, getting a tight upper bound is not a trivial problem. We attempt it by searching for the best differential and the best linear trails, which is a challenging task in itself. Based on some previous works, new strategies are proposed to speed up the search algorithm, which are called starting from the narrowest point, concretizing and grouping search patterns, and trialling in minimal changes order strategies. The efficiency of the resulting improved algorithms allows us to state that the probability (bias) of the best 4-round differential (linear) trail in NOEKEON is 2(-51) (2(-25)) and the probability (bias) of the best 10-round (11-round) differential (linear) trail is at most 2(-131) (2(-71)). For SPONGENT, the best differential trails for certain number of rounds in the permutation functions with width b is an element of {88, 136, 176, 240} are found. That allows us to update some results presented by its designers.

Xinjie Zhao,Shize Guo,Fan Zhang,Zhijie Shi,Chujiao Ma,Tao Wang

DOI: https://doi.org/10.1109/FDTC.2013.14

2013-01-01

Abstract:This paper proposes a fault analysis technique on LED by combining algebraic cryptanalysis and differential fault analysis (DFA). The technique is called algebraic differential fault analysis (ADFA). In ADFA on LED, we use DFA to deduce the possible fault differences of the correct and faulty S-Box input in the last round, and convert them into algebraic equations. We then combine the equation set of LED with the injected fault and use the CryptoMiniSat solver to recover the secret key. Our experiments show that, on a common PC, ADFA can succeed on LED under the nibble-based fault model within three minutes and with only one fault injection, which is more efficient than previous DFA work. To evaluate DFA on LED, we first propose an improved evaluation algorithm of DFA, then provide a modified ADFA approach to compute the solutions for the secret key. The results are more accurate than previous work. We also successfully extend ADFA on LED to other fault models using a single fault injection, where traditional DFAs are difficult to launch.

Kai-Hao Chen,Xiaoming Tang,Peng Xu,Man Guo,Weidong Qiu,Zheng Gong

DOI: https://doi.org/10.6633/ijns.201607.18(4).05

2016-01-01

Abstract:TEA (Tiny Encryption Algorithm) is a block cipher with simple ARX (addition, rotation, exclusive-OR) based Feistel network, designed for both hardware and software scenario. Inspired by the auto search algorithm for ARX cipher introduced by Biryukov and Velichkov in 2014, we proposed an improved version of auto search algorithm for ARX cipher and verified in block cipher TEA. By introducing a sorted partial diffierence distribution table (sorted pDDT), our algorithm can eliminate lots of branches in advance during diffierential trail search phase. As time of the search algorithm increase exponentially with the rounds increasing, our algorithm make a great improvement in the search performance.

Yaxin Cui,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1049/2024/5574862

2024-10-01

IET Information Security

Abstract:Reflection structure has a significant advantage that realizing decryption and encryption results in minimum additional costs, and many block ciphers tend to adopt such structure to achieve the requirement of low overhead. PRINCE, MANTIS, QARMA, and PRINCEv2 are lightweight block ciphers with reflection feature proposed in recent years. In this paper, we consider the automatic differential cryptanalysis of reflection block ciphers based on Boolean satisfiability (SAT) method. Since reflection block ciphers have different round functions, we extend forward and backward from the middle structure and achieve to accelerate the search of the optimal differential characteristics for such block ciphers with the Matsui's bounding conditions. As a result, we present the optimal differential characteristics for PRINCE up to 12 rounds (full round), and they are also the optimal characteristics for PRINCEv2. We also find the optimal differential characteristics for MANTIS, QARMA‐64, and QARMA‐128 up to 10, 12, and 8 rounds, respectively. To mount an efficient differential attack on such block ciphers, we present a uniform SAT model by combining the differential characteristic searching process and the key recovery process. With this model, we find two sets of 7‐round differential characteristics for PRINCE with less guessed key bits and use them to present a multiple differential attack against 11‐round PRINCE, which improves the known single‐key attack on PRINCE by one round to our knowledge.

computer science, information systems, theory & methods

Mingshuai Chen,Martin Fränzle,Yangjia Li,Peter Nazier Mosaad,Naijun Zhan

DOI: https://doi.org/10.1007/978-3-319-48989-6_9

2016-01-01

Abstract:Verification by simulation, based on covering the set of time-bounded trajectories of a dynamical system evolving from the initial state set by means of a finite sample of initial states plus a sensitivity argument, has recently attracted interest due to the availability of powerful simulators for rich classes of dynamical systems. System models addressed by such techniques involve ordinary differential equations (ODEs) and can readily be extended to delay differential equations (DDEs). In doing so, the lack of validated solvers for DDEs, however, enforces the use of numeric approximations such that the resulting verification procedures would have to resort to (rather strong) assumptions on numerical accuracy of the underlying simulators, which lack formal validation or proof. In this paper, we pursue a closer integration of the numeric solving and the sensitivity-related state bloating algorithms underlying verification by simulation, together yielding a safe enclosure algorithm for DDEs suitable for use in automated formal verification. The key ingredient is an on-the-fly computation of piecewise linear, local error bounds by nonlinear optimization, with the error bounds uniformly covering sensitivity information concerning initial states as well as integration error.

Gao Wang,Gaoli Wang,Siwei Sun

DOI: https://doi.org/10.1049/2024/4097586

2024-11-03

IET Information Security

Abstract:At CRYPTO 2019, Gohr showed the significant advantages of neural distinguishers over traditional distinguishers in differential cryptanalysis. At fast software encryption (FSE) 2024, Bellini et al. provided a generic tool to automatically train the (related‐key) differential neural distinguishers for different block ciphers. In this paper, based on the intrinsic principle of differential cryptanalysis and neural distinguisher, we propose a superior (related‐key) differential neural distinguisher that uses the ciphertext pairs generated by two different differences. In addition, we give a framework to automatically train our (related‐key) differential neural distinguisher with four steps: difference selection, sample generation, training pipeline, and evaluation scheme. To demonstrate the effectiveness of our approach, we apply it to the block ciphers: Simon, Speck, Simeck, and Hight. Compared to the existing results, our method can provide improved accuracy and even increase the number of rounds that can be analyzed. The source codes are available in https://github.com/differentialdistinguisher/AutoND_New.

computer science, information systems, theory & methods

Yiyuan Luo,Xuejia Lai,Zhongming Wu,Guang Gong

DOI: https://doi.org/10.1155/2017/5980251

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, which we call the unified impossible differential finding method or UID-method. It is more effective than the U-method introduced by Kim et al. We apply the UID-method to some well-known block cipher structures. Using it, we find a 16-round impossible differential for Gen-Skipjack and a 19-round impossible differential for Gen-CAST256. By this result we can disprove Sung’s long standing conjecture that no such differential is possible for 16 or more rounds. On Gen-MARS and SMS4, the impossible differentials found by the UID-method are much longer than those found by the U-method. On the Four-Cell and Gen-RC6 block ciphers, our results are the same as the best results previously obtained.