Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Fen Liu,Zhe Sun,Xi Luo,Chao Li,Junping Wan

DOI: https://doi.org/10.3390/math12111696

IF: 2.4

2024-05-31

Mathematics

Abstract:This paper delves into the realm of cryptographic analysis by employing mixed-integer linear programming (MILP), a powerful tool for automated cryptanalysis. Building on this foundation, we apply the division property method alongside MILP to conduct a comprehensive cryptanalysis of the IIoTBC (industrial Internet of Things block cipher) algorithm, a critical cipher in the security landscape of industrial IoT systems. Our investigation into IIoTBC System A has led to identifying a 14-round integral distinguisher, further extended to a 22-round key recovery. This significant finding underscores the cipher's susceptibility to sophisticated cryptanalytic attacks and demonstrates the profound impact of combining the division property method with MILP in revealing hidden cipher weaknesses. In the case of IIoTBC System B, our innovative approach has uncovered a full-round distinguisher. We provide theoretical validation for this distinguisher and uncover a pivotal structural issue in the System B algorithm, specifically the non-diffusion of its third branch. This discovery sheds light on inherent security challenges within System B and points to areas for potential enhancement in its design. Our research, through its methodical examination and analysis of the IIoTBC algorithm, contributes substantially to the field of cryptographic security, especially concerning industrial IoT applications. By uncovering and analyzing the vulnerabilities within IIoTBC, we enhance the understanding of cipher robustness and pave the way for advancements in securing industrial IoT communications.

mathematics

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1109/tc.2023.3315057

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:With the rapid development of the Internet of Things (IoT), many new lightweight block ciphers are designed in recent years to meet the security demand in IoT devices. Shadow is a lightweight block cipher designed for IoT Nodes (IEEE Internet of Things Journal, 2021). In this article, an efficient attack on full-round Shadow is proposed based on the idea of a related-key differential attack. First, a differential transfer property for AND operation is illustrated. This property demonstrates a link between the difference and the input value. If the difference of the input is not zero, to lead to a zero difference, there are some constraints on the input value. Furthermore, two properties for Shadow family ciphers are identified. According to these properties, some related keys on Shadow will lead to an internal collision for the subkey generator, which will eventually lead to a full-round distinguisher. Finally, with the idea of related-key differential attack, an efficient attack is applied to Shadow. For Shadow-32, with 4 related keys, 8 master key bits can be derived in about 0.044 seconds on average. For Shadow-64, with 4 related keys, 24 master key bits can be derived in about 3.9 hours on average. All our theoretical results are verified by experiments.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Nicky Mouha,Qingju Wang,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.1007/978-3-642-34704-7_5

2011-01-01

Abstract:Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1155/2022/3611840

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:LiCi-2 is an ultralightweight block cipher designed for constrained IoT devices. It is a successor of LiCi and has even better performance in both software and hardware implementation. In this paper, based on the idea of related-key multiple impossible differential cryptanalysis, a key recovery attack on full-round LiCi-2 is proposed. First, an interesting property is revealed that, with a single bit difference in the related key, a 10-round differential character with probability of 1 exists on LiCi-2. With an automatic approach, the boundaries of impossible differential distinguishers in terms of single-key setting and related-key setting are explored. Under our construction method, the longest length is 8 rounds for single-key setting and 18 rounds for related-key setting. Finally, based on these 18-round distinguishers, a 25-round key recovery attack is proposed with adding 3 rounds before and 4 rounds after the distinguisher. Our attack needs one related key. The time complexity for our attack is O(2123.44), the memory complexity is O(294), and the data complexity is O(260.68). As far as we know, no full-round attack has previously been reported on LiCi-2.

Li Zhang,Yu Zhang,Wenling Wu,Yongxia Mao,Yafei Zheng

DOI: https://doi.org/10.1093/comjnl/bxad009

2023-03-09

The Computer Journal

Abstract:Abstract Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Aayush Jain,Varun Kohli,Girish Mishra

DOI: https://doi.org/10.48550/arXiv.2112.05061

2021-12-09

Cryptography and Security

Abstract:Recent years have seen an increasing involvement of Deep Learning in the cryptanalysis of various ciphers. The present study is inspired by past works on differential distinguishers, to develop a Deep Neural Network-based differential distinguisher for round reduced lightweight block ciphers PRESENT and Simeck. We make improvements in the state-of-the-art approach and extend its use to the two structurally different block ciphers, PRESENT-80 and Simeck64/128. The obtained results suggest the universality of our cryptanalysis method. The proposed method can distinguish random data from the cipher data obtained until 6 rounds of PRESENT and 7 rounds of Simeck encryption with high accuracy. In addition to this, we explore a new approach to select good input differentials, which to the best of our knowledge has not been explored in the past. We also provide a minimum-security requirement for the discussed ciphers against our differential attack.

Marco Calderini,Roberto Civino,Riccardo Invernizzi

2024-01-09

Abstract:The use of alternative operations in differential cryptanalysis, or alternative notions of differentials, are lately receiving increasing attention. Recently, Civino et al. managed to design a block cipher which is secure w.r.t. classical differential cryptanalysis performed using XOR-differentials, but weaker with respect to the attack based on an alternative difference operation acting on the first s-box of the block. We extend this result to parallel alternative operations, i.e. acting on each s-box of the block. First, we recall the mathematical framework needed to define and use such operations. After that, we perform some differential experiments against a toy cipher and compare the effectiveness of the attack w.r.t. the one that uses XOR-differentials.

Cryptography and Security,Information Theory,Group Theory

Xiaoyang Dong,Yanzhao Shen

2016-01-01

Abstract:Midori is a hardware-oriented lightweight block cipher designed by Banik et al. in ASIACRYPT 2015. It has two versions according to the state sizes, i.e. Midori64 and Midori128. In this paper, we explore the security of Midori64 against truncated differential and related-key differential attacks. By studying the compact representation of Midori64, we get the branching distribution properties of almost MDS matrix used by Midori64. By applying an automatic truncated differential search algorithm developed by Moriai et al. in SAC 1999, we get 3137 4-round truncated differentials of Midori64. In addition, we find some 2-round iterative differential patterns for Midori64. By searching the differential characteristics matching the differential pattern, we find some iterative 2-round differentials with probability of 2−24, based on these differentials, a 11-round related-key differential characteristic is constructed. Then we mount a 14-round(out of 16 full rounds) related-key differential attack on Midori64. As far as we know, this is the first related-key differential attack on Midori64.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Li Wei,Tao Zhi,Gu Dawu,Sun Li,Qu Bo,Liu Zhiqiang,Liu Ya

DOI: https://doi.org/10.1109/cc.2014.6879011

2014-01-01

Abstract:Due to the strong attacking ability, fast speed, simple implementation and other characteristics, differential fault analysis has become an important method to evaluate the security of cryptosystem in the Internet of Things. As one of the AES finalists, the Serpent is a 128-bit Substitution-Permutation Network (SPN) cryptosystem. It has 32 rounds with the variable key length between 0 and 256 bits, which is flexible to provide security in the Internet of Things. On the basis of the byte-oriented model and the differential analysis, we propose an effective differential fault attack on the Serpent cryptosystem. Mathematical analysis and simulating experiment show that the attack could recover its secret key by introducing 48 faulty ciphertexts. The result in this study describes that the Serpent is vulnerable to differential fault analysis in detail. It will be beneficial to the analysis of the same type of other iterated crypto systems.

Pu Sun,Fu Song,Yuqi Chen,Taolue Chen

DOI: https://doi.org/10.1145/3632871

2024-01-05

Proceedings of the ACM on Programming Languages

Abstract:Differential cryptanalysis is a powerful algorithmic-level attack, playing a central role in evaluating the security of symmetric cryptographic primitives. In general, the resistance against differential cryptanalysis can be characterized by the maximum expected differential characteristic probability. In this paper, we present generic and extensible approaches based on mixed integer linear programming (MILP) to bound such probability. We design a high-level cryptography-specific language EasyBC tailored for block ciphers and provide various rigorous procedures, as differential denotational semantics, to automate the generation of MILP from block ciphers written in EasyBC. We implement an open-sourced tool that provides support for fully automated resistance evaluation of block ciphers against differential cryptanalysis. The tool is extensively evaluated on 23 real-life cryptographic primitives including all the 10 finalists of the NIST lightweight cryptography standardization process. The experiments confirm the expressivity of EasyBC and show that the tool can effectively prove the resistance against differential cryptanalysis for all block ciphers under consideration. EasyBC makes resistance evaluation against differential cryptanalysis easily accessible to cryptographers.

Wei Li,Wenwen Zhang,Dawu Gu,Zhi Tao,Zhihong Zhou,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.3837/tiis.2015.02.018

2015-01-01

KSII Transactions on Internet and Information Systems

Abstract:The TWINE is a new Generalized Feistel Structure (GFS) lightweight cryptosystem in the Internet of Things. It has 36 rounds and the key lengths support 80 bits and 128 bits, which are flexible to provide security for the RFID, smart cards and other highly-constrained devices. Due to the strong attacking ability, fast speed, simple implementation and other characteristics, the differential fault analysis has become an important method to evaluate the security of lightweight cryptosystems. On the basis of the 4-bit fault model and the differential analysis, we propose an effective differential fault attack on the TWINE cryptosystem. Mathematical analysis and simulating experiments show that the attack could recover its 80-bit and 128-bit secret keys by introducing 8 faulty ciphertexts and 18 faulty ciphertexts on average, respectively. The result in this study describes that the TWINE is vulnerable to differential fault analysis. It will be beneficial to the analysis of the same type of other iterated lightweight cryptosystems in the Internet of Things.

Shiqi Hou,Baofeng Wu,Shichang Wang,Hao Guo,Dongdai Lin

DOI: https://doi.org/10.1093/comjnl/bxad075

2024-01-01

Abstract:In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework.

xuejia lai,james l massey,sean d murphy

DOI: https://doi.org/10.1007/3-540-46416-6_2

1991-01-01

Abstract:This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α, β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES(64) based on this differential is shown to require all 264 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consistent with all the original design principles, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resistant to differential cryptanalysis.

Ting Fan,Lingchen Li,Yongzhuang Wei,Enes Pasalic

DOI: https://doi.org/10.1177/15501329221119398

IF: 1.938

2022-09-04

International Journal of Distributed Sensor Networks

Abstract:International Journal of Distributed Sensor Networks, Volume 18, Issue 9, September 2022. Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers' security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.

Zhiqiang Liu,Dawu Gu,Jing Zhang,Wei Li

DOI: https://doi.org/10.1007/978-3-642-16342-5_3

2010-01-01

Abstract:Differential-linear cryptanalysis was introduced by Langford et al in 1994. After that, Biham et al proposed an enhanced differential-linear cryptanalysis in 2002. In this paper, we present an extension to the enhanced differential-linear cryptanalysis, called differential-multiple linear cryptanalysis, in which a differential characteristic can be concatenated with multiple linear characteristics to derive a differential-multiple linear distinguisher. Furthermore, we introduce a technique about how to find a differential-multiple linear distinguisher based on a differential-linear distinguisher for Feistel and SPN block ciphers. For illustration, this extension is applied to describe a differential-multiple linear distinguisher for 7-round DES, and then the best-known key recovery attack on 9-round DES is presented based on the differential-multiple linear distinguisher. As a matter of fact, our work is a new attempt to concatenate a differential characteristic with multiple linear characteristics to derive a new cryptanalytic tool which may be helpful to analyze a variety of block ciphers including Feistel and SPN schemes.

Nobuyuki Sugio

DOI: https://doi.org/10.1049/2024/1741613

2024-08-26

IET Information Security

Abstract:Many lightweight block ciphers have been proposed for IoT devices that have limited resources. SLIM, LBC‐IoT, and SLA are lightweight block ciphers developed for IoT systems. The designer of SLIM presented a 7‐round differential distinguisher and an 11‐round linear trail using a heuristic method. We have comprehensively sought the longest distinguisher for linear cryptanalysis, zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack using the mixed integer linear Programming (MILP) on SLIM, LBC‐IoT, and SLA. The search led to discovery of a 16‐round linear trail on SLIM, which is 5‐round longer than the earlier result. We have also discovered 7‐, 7‐, and 9‐round distinguishers for zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack, which are new results for SLIM. We have revealed 9‐, 8‐, and 11‐round distinguishers on LBC‐IoT for zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack. We have presented full‐round distinguishers on SLA for integral attack using only two chosen plaintexts. We performed a key recovery attack on 16‐round SLIM with an experimental verification. This verification took 106 s with a success rate of 93%. Moreover, we present a key recovery attack on 19‐round SLIM using 16‐round linear trail with correlation 2−15: the necessary number of known plaintext–ciphertext pairs is 231; the time complexity is 264.4 encryptions; and the memory complexity is 238 bytes. Results show that this is the current best key recovery attack on SLIM. Because the recommended number of rounds is 32, SLIM is secure against linear cryptanalysis, as demonstrated herein.

computer science, information systems, theory & methods

Yanjun Li,Hao Lin,Xinjie Bi,Shanshan Huo,Yiyi Han

DOI: https://doi.org/10.1016/j.jisa.2023.103696

IF: 4.96

2024-01-19

Journal of Information Security and Applications

Abstract:Shadow (Guo et al., 2021) is a lightweight block cipher based on a new logical combination method of AND-RX operation and the generalized Feistel structure with high diffusion and excellent performance in hardware implementation. In this paper, the components and structure of Shadow cipher are researched, and based on MILP automatic search algorithms for differential trails the 2-round iterative differential characteristics are obtained, then the full-round differential characteristics of both Shadow-32 and Shadow-64 are given. Moreover, targeting Shadow-32, we conduct 32-bit round-key recovery attack by using four 13.5-round differential trails, and the experimental verification shows that the time complexity is 226.02 and space complexity is 214.1 . Recovering the 64 master key bits need to solve a system of multivariate equations over F2 with the time complexity more than 250.69 . For Shadow-64, the process of recovering the master key is similar. Finally, we analyze the reasons for the insecurity of the Shadow cipher that may help to improve the cryptographic performance of the Shadow or provide help for a new block cipher design.

computer science, information systems