Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Liu Ya,Dawu Gu,Zhiqiang Liu,Wei Li,Weihao Kong

DOI: https://doi.org/10.1007/978-94-007-2792-2_43

2011-01-01

Abstract:In this paper, we propose a novel impossible differential attack on 7-round AES-128. Firstly, we construct some new 2-round impossible differentials of AES, which allow us to distinguish the wrong keys from the correct key more efficiently. Based on them, we present an impossible differential attack on 7-round AES-128. The data complexity is about $$ 2^{80} $$ chosen plaintexts. Compared to the best known result, the data complexity of our attack is reduced by nearly $$ 2^{ - 26.2} $$ times.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/cstic.2016.7464078

2016-01-01

Abstract:Random fault attacks against Advanced Encryption Standard (AES) hardware implementation are widely researched. In the previous fault analysis, 6 rounds of attacks are required to recover the correct round-key, which is not efficient enough for extensive analysis. In this paper, a more efficient fault model is proposed. Based on the analysis of theoretical key candidate number, the proposed attack method can complete the analysis as few as 3 rounds. Experiment results shows that nearly 90% of the attacks recover the correct round-key with 3 rounds and in average only 3.125 rounds are required with our proposed attack method.

Kai Luo,Leibo Liu

DOI: https://doi.org/10.2991/icmemtc-16.2016.238

2016-01-01

Abstract:In the paper, an improved plan is proposed based on AES encryption algorithm. Complex mix-column operation in the AES implementation process is simplified by the improved plan, and an anti-power attack technology is further proposed on the basis of implementing the improved plan. The technology is based on hamming weight model theory of power consumption. Power consumption is balanced through complementary operations on the algorithm level. The operation power consumption is always not related with intermediate data produced by encryption algorithm at any time during hardware implementation, thereby hiding power consumption and data information and achieving the purpose of anti-power attack.

Gaëtan Leurent,Clara Pernot

DOI: https://doi.org/10.1007/s00145-024-09522-5

2024-11-03

Journal of Cryptology

Abstract:In this paper, we present a new representation of the AES key schedule, with some implications to the security of AES-based schemes. In particular, we show that the AES-128 key schedule can be split into four independent parallel computations operating on 32-bit chunks, up to linear transformation. Surprisingly, this property has not been described in the literature after more than 20 years of analysis of AES. We show two consequences of our new representation, improving previous cryptanalysis results of AES-based schemes. First, we observe that iterating an odd number of key schedule rounds results in a permutation with short cycles. This explains an observation of Khairallah on mixFeed, a second-round candidate in the NIST lightweight competition. Our analysis actually shows that his forgery attack on mixFeed succeeds with probability 0.44 (with data complexity 220GB), breaking the scheme in practice. The same observation also leads to a novel attack on ALE, another AES-based AEAD scheme. Our new representation also gives efficient ways to combine information from the first subkeys and information from the last subkeys, in order to reconstruct the corresponding master key. This results in small improvements to previous attacks: We improve impossible differential attacks against several variants of AES (and Rijndael), and a square attack against AES-192.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

JiaLin Huang,XueJia Lai

DOI: https://doi.org/10.1007/s11432-014-5096-6

2014-01-01

Science China Information Sciences

Abstract:Recently, several important block ciphers are considered to be broken by the brute-force-like cryptanalysis, with a time complexity faster than the exhaustive key search by going over the entire key space but performing less than a full encryption for each possible key. Motivated by this observation, we describe a meetin-the-middle attack that can always be successfully mounted against any practical block ciphers with success probability one. The data complexity of this attack is the smallest according to the unicity distance. The time complexity can be written as 2 k (1 − ∈), where ∈ > 0 for all practical block ciphers. Previously, the security bound that is commonly accepted is the length k of the given master key. From our result we point out that actually this k-bit security is always overestimated and can never be reached because of the inevitable loss of the key bits. No amount of clever design can prevent it, but increments of the number of rounds can reduce this key loss as much as possible. We give more insight into the problem of the upper bound of effective key bits in block ciphers, and show a more accurate bound. A suggestion about the relationship between the key size and block size is given. That is, when the number of rounds is fixed, it is better to take a key size equal to the block size. Also, effective key bits of many well-known block ciphers are calculated and analyzed, which also confirms their lower security margins than thought before. The results in this article motivate us to reconsider the real complexity that a valid attack should compare to.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Tongfei Xia,Anhui Jiyuan,Ziran Zhao,Wei Li,Haoran Fan,Can Cao

DOI: https://doi.org/10.33969/eecs.v3.002

2019-01-01

Abstract:AES is the mostly used block cipher nowadays.At CRYPTO 2016, Sun et al. proposed the first 5-round distinguisher of the AES [19].However, it is somewhat closely related with the keys and hardly be used to mount a key recovery attack.Later in FSE 2016 [12] and EUROCRYPT 2017 [13], the distinguisher was improved.In this paper, by combining the techniques proposed by Sun et al. at CRYPTO 2016, we find a new 3-round integral distinguisher of AES which is closely related with the round keys.Then, based on the new distinguisher, we develop new techniques and give a new integral cryptanalysis for the round-reduced AES.We believe this may give new insight on the security of the AES.

Xiaorui Sun,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-642-10366-7_2

2009-01-01

Abstract:In this paper, we formalize an attack scheme using the key-dependent property, called key-dependent attack. In this attack, the intermediate value, whose distribution is key-dependent, is considered. The attack determines whether a key is right by conducting statistical hypothesis test of the intermediate value. The time and data complexity of the key-dependent attack is also discussed. We also apply key-dependent attack on reduced-round IDEA. This attack is based on the key-dependent distribution of certain items in Biryukov-Demirci Equation. The attack on 5.5-round variant of IDEA requires 221 chosen plaintexts and 2112.1 encryptions. The attack on 6-round variant requires 249 chosen plaintexts and 2112.1 encryptions. Compared with the previous attacks, the key-dependent attacks on 5.5-round and 6-round IDEA have the lowest time and data complexity, respectively.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Yu Sasaki,Lei Wang,Yasuhide Sakai,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-31410-0_9

2012-01-01

Abstract:This paper presents an improved single-key attack on a block-cipher XTEA by using the three-subset meet-in-the-middle (MitM) attack. Firstly, a technique on a generic block-cipher is discussed. It points out that the previous work applying the splice-and-cut technique to the three-subset MitM attack contains incomplete arguments, and thus it requires a very large data complexity, which is close to the code book. This paper gives a corrected procedure to keep the data complexity small. Secondly, the three-subset MitM attack is applied for reduced-round XTEA, which is a 64-bit block-cipher with 64-round Feistel network and a 128-bit key. 25 rounds are attacked with 9 known plaintexts and 2120.40 XTEA computations, while the previous best single-key attack only reaches 23 rounds. In the chosen-plaintext model, the attack is extended to 28 rounds with 237 chosen-plaintexts and 2120.38 computations.

Rui Luo,Xuejia Lai,Rong You

DOI: https://doi.org/10.1109/spac.2014.6982727

2014-01-01

Abstract:In this paper, we propose an improved table-based white-box implementation of AES which is able to resist different types of attack, including the BGE attack and De Mulder et al.'s cryptanalysis, to protect information under “white-box attack context”. The notion of white-box attack context, introduced by Chow et al., describes a general setting in which cryptographic algorithms are executed in untrusted environments. In this setting, adversaries have attained complete access to the implementations of cryptographic algorithms as well as the dynamic execution environments. The key strategy applied to our design is to compose different operations of the AES round function and convert the composition into encoded lookup tables. The new scheme exploits larger key-dependent tables, each of which contains two bytes of the round keys. We then analyze the security against different types of attack and measure two security metrics: the “white-box diversity” and “ambiguity”. The new scheme can withstand the BGE attack due to the utilization of larger mixing bijections and tabulated “ShiftRows” it can also resist the cryptanalysis of De Mulder et al. since the bindings between “nTMC” and “TSR” are irreducible and the non-linear encodings are introduced to all tables.

Biaoshuai Tao,Hongjun Wu

DOI: https://doi.org/10.1007/978-3-319-19962-7_3

2015-01-01

Abstract:Biclique attack is currently the only key-recovery attack on the full AES with a single key. Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size 2(8) x 2(8) and reducing the number of S-boxes computed in the matching phase. Their results were improved later by better selections of differential characteristics in the biclique construction. In this paper, we improve the biclique attack by increasing the biclique size to 2(16) X 2(8) and 2(16) X 2(16). We have a biclique attack on each of the following AES versions:-AES-128 with time complexity 212613 and data complexity 2(16), AES-128 with time complexity 212601 and data complexity 272,- AES-192 with time complexity 218991 and data complexity 248, and-AES-256 with time complexity 225427 and data complexity 2(40).Our results have the best time complexities among all the existing keyrecovery attacks with data less than the entire code book.

Ni Yewen,Cui Xiaoxin,Wang Tian,Fan Yuanning,Han Qiankun,Liu Kefei,Cui Xiaole

DOI: https://doi.org/10.1109/ASICON.2017.8252468

2017-01-01

Abstract:The traditional random multi-byte fault model in AES fault attack only uses the faulty ciphertexts with diagonal-fault distributions to implement differential fault analysis. When there are not enough exploitable faulty ciphertexts, the round key could not be confirmed directly, and a comparatively large search space is still left for brute-force attack. In this paper, an improved differential fault analysis (DFA) using all-fault ciphertexts on AES was proposed. The all-fault ciphertexts could be used to optimize the selection of the brute-force space, which is helpful to recover the secret key quickly and improves the analysis efficiency. The experiment result demonstrated that by applying the DFA with all-fault ciphertexts, the time consumed on the brute-force attack can be reduced 60.81% on average, which significantly accelerated the process of cracking AES.

Jialin Huang,Xuejia Lai

2012-01-01

Abstract:In this paper, we point out a new weakness of the AES key schedule by revisiting an old observation exploited by many known attacks. We also discover a major cause for this weakness is that the column-by-column word-wise property in the key schedule matches nicely with the MixColumns operation in the cipher’s diffusion layer. Then we propose a new key schedule by minor modification to increase the security level for AES. First, it reduces the number of rounds that some attacks are effective, such as SQUARE attacks and meet-in-the-middle attacks; Second, it is interesting that our new key schedule also protects AES from the most devastating related-key differential type attacks, which work against AES-192 and AES-256 with the full number of rounds. Compared with the original key schedule, ours just does a transposition on the output matrix of the subkeys. Compared with other proposed modifications of AES key schedule, our modification adds no non-linear operations, no need to complicate the diffusion method, or complicate the iteration process of generating subkeys. Finally, our results suggest that the route of diffusion propagation should get more attention in the design of key schedules.

An Wang,Man Chen,Zongyue Wang,Xiaoyun Wang

DOI: https://doi.org/10.1109/TCSII.2013.2268379

2013-01-01

Abstract:In 2011, Li presented clockwise collision analysis on nonprotected Advanced Encryption Standard (AES) hardware implementation. In this brief, we first propose a new clockwise collision attack, called fault rate analysis (FRA), on masked AES. Then, we analyze the critical and noncritical paths of the S-box and find that, for its three input bytes, namely, the input value, the input mask, and the output mask, the path relating to the output mask is much shorter than those relating to the other two inputs. Therefore, some sophisticated glitch cycles can be chosen such that the values in the critical path of the whole S-box are destroyed but this short path is not affected. As a result, the output mask does not offer protection to the S-box, which leads to a more efficient attack. Compared with three attacks on masking countermeasures at the Workshop on Cryptographic Hardware and Embedded Systems 2010 and 2011, our method only costs about 8% of their time and 4% of their storage space.

Haibo Zhou,Zheng Li,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxz152

2020-01-01

The Computer Journal

Abstract:A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of KECCAK keyed modes. In this paper, we find a new property of Li et al.'s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round KETJE Jr, 6-round XOODOO-AE and XOODYAK, where KETJE Jr is among the third round CAESAR competition candidates and XOODYAK is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on XOODYAK represent the first third-party cryptanalysis for XOODYAK.