Jiali Shi,Guoqiang Liu,Chao Li,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2022.00.132

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Type-II generalized Feistel network (GFN) has attracted a lot of attention for its simplicity and high parallelism. Impossible differential attack is one of the powerful cryptanalytic approaches for word-oriented block ciphers such as Feistel-like ciphers. We deduce the impossible differential of Type-II GFN by analyzing the Boolean function in the middle round. The main idea is to investigate the expression with the variable representing the plain-text (ciphertext) difference words for the internal state words. By adopting the miss-in-the-middle approach, we can construct the impossible differential of Type-II GFN. As an illustration, we apply this approach to WARP, a lightweight 128-bit block cipher with a 128-bit key which was presented by Banik et al. at SAC 2020. The structure of WARP is a 32-branch Type-II GFN. Therefore, we find two 21-round truncated impossible differentials and implement a 32-round key recovery attack on WARP. For the 32-round key recovery attack on WARP, some observations are used to mount an effective attack. Taking the advantage of the early abort technique, the data, time, and memory complexities are 2125.69 chosen plaintexts, 2126.68 32-round encryptions, and 2100-bit, repectively. To the best of our knowledge, this is the best attack on WARP in the single-key scenario.

engineering, electrical & electronic

Baoyu Zhu,Xiaoyang Dong,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-030-12612-4_19

2019-01-01

Abstract:At Asiacrypt 2014, Sun et al. proposed a MILP model [20] to search for differential characteristics of bit-oriented block ciphers. In this paper, we improve this model to search for differential characteristics of GIFT [2], a new lightweight block cipher proposed at CHES 2017. GIFT has two versions, namely GIFT-64 and GIFT-128. For GIFT-64, we find the best 12-round differential characteristic and a number of iterative 4-round differential characteristics with our MILP-based model. We give a key-recovery attack on 19-round GIFT-64. For GIFT-128, we find a 18-round differential characteristic and give the first attack on 23-round GIFT-128.

Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Yanjun Li,Hao Lin,Xinjie Bi,Shanshan Huo,Yiyi Han

DOI: https://doi.org/10.1016/j.jisa.2023.103696

IF: 4.96

2024-01-19

Journal of Information Security and Applications

Abstract:Shadow (Guo et al., 2021) is a lightweight block cipher based on a new logical combination method of AND-RX operation and the generalized Feistel structure with high diffusion and excellent performance in hardware implementation. In this paper, the components and structure of Shadow cipher are researched, and based on MILP automatic search algorithms for differential trails the 2-round iterative differential characteristics are obtained, then the full-round differential characteristics of both Shadow-32 and Shadow-64 are given. Moreover, targeting Shadow-32, we conduct 32-bit round-key recovery attack by using four 13.5-round differential trails, and the experimental verification shows that the time complexity is 226.02 and space complexity is 214.1 . Recovering the 64 master key bits need to solve a system of multivariate equations over F2 with the time complexity more than 250.69 . For Shadow-64, the process of recovering the master key is similar. Finally, we analyze the reasons for the insecurity of the Shadow cipher that may help to improve the cryptographic performance of the Shadow or provide help for a new block cipher design.

computer science, information systems

Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1109/access.2019.2946638

IF: 3.9

2019-01-01

IEEE Access

Abstract:In this paper, we study the relation of related-tweak/key impossible differentials with single-key ones. Following a heuristic strategy, we can derive longer related-tweak/key impossible differentials from single-key ones. We implement this strategy with the MILP technique and apply it to search related-tweak/key impossible differentials of two tweakable block ciphers: QARMA-64 and Joltik-BC-128. For QARMA-64, we find several 7-round related-tweak impossible differential distinguishers and use them to mount a 10-round key recovery attack including the outer whitening key; for Joltik-BC-128, we find two 6-round related-tweakey impossible differential distinguishers and use them attack 9-round and 10-round Joltik-BC-128 respectively.

Lele Chen,Gaoli Wang,GuoYan Zhang

DOI: https://doi.org/10.1093/comjnl/bxz076

2019-10-15

The Computer Journal

Abstract:Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Zhan Chen,Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-49151-6_1

2016-01-01

Abstract:The Midori family of light weight block cipher is presented in ASIACRYPT2015. It is uses a SPN structure and has two versions: Midori64 and Midori128. In this paper we use a 6-round impossible differential path and present 10-round impossible differential attack on Midori128. We exploit the properties of S-boxes to aid our attack. We construct a hash table in the pre-computation phase to reduce time complexity. Our attack requires 2(116.17) chosen plaintexts, 2(97) blocks of memory and 2(116.71) 10-round Midori128 encryptions. We show that this is the first attack ever applied to Midori128.

Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).

Debranjan Pal,Vishal Pankaj Chandratreya,Abhijit Das,Dipanwita Roy Chowdhury

2024-05-01

Abstract:Symmetric key cryptography stands as a fundamental cornerstone in ensuring security within contemporary electronic communication frameworks. The cryptanalysis of classical symmetric key ciphers involves traditional methods and techniques aimed at breaking or analyzing these cryptographic systems. In the evaluation of new ciphers, the resistance against linear and differential cryptanalysis is commonly a key design criterion. The wide trail design technique for block ciphers facilitates the demonstration of security against linear and differential cryptanalysis. Assessing the scheme's security against differential attacks often involves determining the minimum number of active SBoxes for all rounds of a cipher. The propagation characteristics of a cryptographic component, such as an SBox, can be expressed using Boolean functions. Mixed Integer Linear Programming (MILP) proves to be a valuable technique for solving Boolean functions. We formulate a set of inequalities to model a Boolean function, which is subsequently solved by an MILP solver. To efficiently model a Boolean function and select a minimal set of inequalities, two key challenges must be addressed. We propose algorithms to address the second challenge, aiming to find more optimized linear and non-linear components. Our approaches are applied to modeling SBoxes (up to six bits) and EXOR operations with any number of inputs. Additionally, we introduce an MILP-based automatic tool for exploring differential and impossible differential propagations within a cipher. The tool is successfully applied to five lightweight block ciphers: Lilliput, GIFT64, SKINNY64, Klein, and MIBS.

Cryptography and Security

Keting Jia,Jiazhe Chen,Meiqin Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-28496-0_11

2011-01-01

Abstract:Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time complexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB.

Asli Bay,Jorge Nakahara,Serge Vaudenay

DOI: https://doi.org/10.1007/978-3-642-17619-7_1

2010-01-01

Abstract:This paper presents the first independent and systematic linear, differential and impossible-differential (ID) cryptanalyses of MIBS, a lightweight block cipher aimed at constrained devices such as RFID tags and sensor networks. Our contributions include linear attacks on up to 18-round MIBS, and the first ciphertext-only attacks on 13-round MIBS. Our differential analysis reaches 14 rounds, and our impossible-differential attack reaches 12 rounds. These attacks do not threaten the full 32-round MIBS, but significantly reduce its margin of security by more than 50%. One fact that attracted our attention is the striking similarity of the round function of MIBS with that of the Camellia block cipher. We actually used this fact in our ID attacks. We hope further similarities will help build better attacks for Camellia as well.

Meiqin Wang,Xiaoyun Wang,Kam Pui Chow,Lucas Chi Kwong Hui

DOI: https://doi.org/10.1587/transfun.e93.a.2744

2010-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72bits and 9-round CAST-128 with key sizes greater than or equal to 104bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

Rui Zong,Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-016-9075-6

2017-01-01

Science China Information Sciences

Abstract:Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016, and can be used to construct high throughput block ciphers by using the Even-Mansour construction, permutationbased hashing, and wide-block authenticated encryption. This paper shows a 9-round impossible differential of Simpira-4. To the best of our knowledge, this is the first 9-round impossible differential. To determine some efficient key recovery attacks on its block cipher mode (Even-Mansour construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight 6-round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode; each 6-round impossible differential helps recover 32 bits of the master key (512 bits), and in total, half of the master key bits are recovered. The attacks require 257 chosen plaintexts and 257 7-round encryptions. Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode. This helps recover the full key space (512 bits) with a data complexity of 2170 chosen plaintexts and time complexity of 2170 8-round encryptions. Those are the first attacks on the round-reduced Simpira v2 and do not threaten the Even-Mansour mode with the full 15-round Simpira-4.

Qianmei Wu,Fan Zhang,Shize Guo,Kun Yang,Haoting Shen

DOI: https://doi.org/10.1109/tc.2024.3416682

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:As a common defense against side-channel attacks, random delay insertion introduces noise into the executive flow of encryption, which increases attack complexity. Accordingly, various techniques are exploited to mitigate the defense effect of such insertions. As an advanced mathematical technique, wavelet analysis is considered to be a more effective technology according to its detailed and comprehensive interpretation of signals. In this paper, we propose a unified and fully automated wavelet-based attack framework (denoted as UWAF), whose data processing is kept within one unified wavelet domain, with three enhanced components: denoising, alignment and key extraction. We put forward a new idea of combining machine learning with wavelet analysis to realize the full automation of the program for attack framework, rendering it possible to search exhaustively for the optimal combination of parameter settings in wavelet transform. Our proposal finds a new setting of wavelet parameters that have not been exploited ever before and achieves the performance enhancement for about 20 times fewer traces required for successful key recovery. UWAF is compared with several mainstream attack frameworks. Experimental results show that it outperforms those counterparts, and can be considered as an effective framework-level solution to defeat the countermeasure of random delay insertion.

MeiQin Wang,XiaoYun Wang,Lucas C.K. Hui

DOI: https://doi.org/10.1007/s11432-010-0048-2

2010-01-01

Abstract:Differential cryptanalysis is a general cryptanalytic tool that makes use of differentials over some rounds of a cipher, combined with some key bit guesses of one or two rounds. This paper introduces a new cryptanalysis strategy of block ciphers named differential-algebraic cryptanalysis. The idea of differential-algebraic cryptanalysis is to find a differential with high probability and build the multivariable system equations for the last few rounds. The subkey values of the last few rounds can be obtained by filtering the solutions of system equations instead of guessing all possible subkey values. We use the differential-algebraic cryptanalysis to break 8-round Serpent-256. Our attack can recover the 256-bit key with 283 chosen plaintexts, 2180.4 8-round Serpent-256 encryptions and 2176.7 bytes memory. Compared with the previous differential cryptanalysis results, both the data complexity and the time complexity are reduced, but the memory requirements are increased. The time complexity and the memory requirements are very close, and a time-memory tradeoff is exploited.

Keting Jia,Leibo Li

DOI: https://doi.org/10.1007/978-3-642-35416-8_2

2012-01-01

Abstract:MISTY1 is a Feistel block cipher with a 64-bit block and a 128-bit key. It is one of the final NESSIE portfolio of block ciphers, and has been recommended for Japanese e-Government ciphers by the CRYPTREC project. In this paper, we improve the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity. Furthermore, combing with the FL function properties and the key schedule algorithm, we propose an impossible differential attack on 7-round MISTY1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions. It is the first attack on 7-round MISTY1 in the known plaintext model to the best of our knowledge. Besides, we show an improved impossible differential attack on 7-round MISTY1 without FL layers with 292.2 7-round encryptions and 255 chosen plaintexts, which has lower time complexity than previous attacks.

Xiaoyang Dong,Yanzhao Shen

2016-01-01

Abstract:Midori is a hardware-oriented lightweight block cipher designed by Banik et al. in ASIACRYPT 2015. It has two versions according to the state sizes, i.e. Midori64 and Midori128. In this paper, we explore the security of Midori64 against truncated differential and related-key differential attacks. By studying the compact representation of Midori64, we get the branching distribution properties of almost MDS matrix used by Midori64. By applying an automatic truncated differential search algorithm developed by Moriai et al. in SAC 1999, we get 3137 4-round truncated differentials of Midori64. In addition, we find some 2-round iterative differential patterns for Midori64. By searching the differential characteristics matching the differential pattern, we find some iterative 2-round differentials with probability of 2−24, based on these differentials, a 11-round related-key differential characteristic is constructed. Then we mount a 14-round(out of 16 full rounds) related-key differential attack on Midori64. As far as we know, this is the first related-key differential attack on Midori64.

Xiutao Feng,Fan Zhang,Hui Wang

2014-01-01

Abstract:PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our results show that PANDA-s is far from the goal of its security design (128-bit level).

Xiaofei Dong,Fan Zhang,Samiya Queshi,Yiran Zhang,Ziyuan Liang,Bolin Yang,Feng Gao

DOI: https://doi.org/10.1109/asianhost.2018.8607162

2018-01-01

Abstract:Random delay insertion is a simple yet rather effective technique to increase the difficulty for traditional power analysis. However as compared to the random masking technique, it is uncommonly used as a countermeasure considering the frequency analysis. In this paper, it is investigated that the frequency analysis may not work as efficiently as expected when facing to advanced random delay countermeasures. Hence, a novel attack is proposed which is in the wavelet domain. After preprocessing the wavelet coefficients of power traces with wavelet decomposition, the effects of multiple random delays can be removed. Two attack strategies are proposed to recover the secret key: either indirectly from the reconstructed power traces without random delays or directly from the processed wavelet coefficients. Our experimental results show that the wavelet-based power analysis attack can perform much better than those frequency-based ones, which is evaluated through several standard metrics to show the efficiency and robustness.